06-12-2012 04:38 PM
Hi there,
I have what I thought would be a simple ACL. See the attached overview. I have applied an ACL to a port connected to a Dell switch. All the machines on this Dell switch live on the 172.10.x.x network. I have a single server (on another subnet) hanging off the Cisco switch that I want to allow traffic to as well as a couple of machines hanging off the Cisco that belong to the 172.10.x.x network that need to communicate over to the Dell switch. Here was my thought process:
1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)
2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100 – Ingress
3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress
4 – Apply to port connecting Cisco switch to Dell switch
When I apply the ACL I am unable to ping 172.10.0.50 from 172.20.100.100 - what am I missing?!?!?!
Thanks!
Solved! Go to Solution.
06-20-2012 07:08 AM
The subnet masks in your PDF look wierd, the switch is using reverse masking so the address and mask would be,
1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)
but the switch looks at ingress not egress.
2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100 – Ingress
172.10.0.0 mask= 0.0.255.255 to 172.20.100.100 mask=0.0.0.0
3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress
172.20.100.100 mask=0.0.0.0 to 172.10.0.0 mask=0.0.255.255
there are plenty examples of access-list for 300 series switches within this community, try a search and see what you get for more examples.
regards Dave
06-20-2012 07:08 AM
The subnet masks in your PDF look wierd, the switch is using reverse masking so the address and mask would be,
1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)
but the switch looks at ingress not egress.
2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100 – Ingress
172.10.0.0 mask= 0.0.255.255 to 172.20.100.100 mask=0.0.0.0
3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress
172.20.100.100 mask=0.0.0.0 to 172.10.0.0 mask=0.0.255.255
there are plenty examples of access-list for 300 series switches within this community, try a search and see what you get for more examples.
regards Dave
06-21-2012 10:05 AM
Sometimes I take things a bit to literally... thanks David.
06-21-2012 10:13 AM
Hi
Sometimes i wish we didn't use inverse masking on ACL. But I am glad you are up and running.
regards Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide