cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30159
Views
10
Helpful
14
Replies

access list on inter vlan routing

mehmoodch
Level 1
Level 1

I implemented access list on cisco 3560 switch but it never works.

I want to block access from network B to Network A and allow from Ato B

Network A. 10.0.12.0/24

Network B 10.0.24.0/24

The configuration is

interface Vlan1

description Data VLAN

ip address 10.0.12.10 255.255.255.0

!

interface Vlan24

description training VLAN

ip address 10.0.24.10 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.12.1

ip http server

ip http secure-server

!

ip sla enable reaction-alerts

access-list 101 permit ip 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

access-list 101 deny   ip 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

access-list 101 permit ip any any

Is there any idea that I can block access from 10.0.24.0/24 t0 10.0.12.0/24

2 Accepted Solutions

Accepted Solutions

kcnajaf
Level 7
Level 7

Hi Mahmood,

I can see that you have created the access-list but you have not applied this on the interface with "ip access-group" command. For this to work you need to apply the acl on the L3 interface as below.

So modify you configuration as below.

no access-list 101 permit ip 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

access-list 101 deny   ip 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

access-list 101 permit ip any any

!

interface Vlan24

description training VLAN

ip address 10.0.24.10 255.255.255.0

ip access-group 101 in

Regards

Najaf

Please rate when applicable or helpful !!!

View solution in original post

cadet alain
VIP Alumni
VIP Alumni

Hi Mahmood,

You're gonna have another problem here which is that ACL are stateless and that ip connectivity is a bidirectionnal process so for example with Najaf config you're going to block all IP traffic  from Network B to network A but also all return traffic in response to Network A initiated traffic so you'll end up blocking traffic in both directions.

  you can workaround this by allowing icmp replies and using the tcp established keyword  as well as return udp traffic if needed.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

14 Replies 14

kcnajaf
Level 7
Level 7

Hi Mahmood,

I can see that you have created the access-list but you have not applied this on the interface with "ip access-group" command. For this to work you need to apply the acl on the L3 interface as below.

So modify you configuration as below.

no access-list 101 permit ip 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

access-list 101 deny   ip 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

access-list 101 permit ip any any

!

interface Vlan24

description training VLAN

ip address 10.0.24.10 255.255.255.0

ip access-group 101 in

Regards

Najaf

Please rate when applicable or helpful !!!

Hi najaf

Thanks for yor reply

Its worked and blocked access from network B-A. But it blcoked access from network A-B as well but I want this access to be opened.

cadet alain
VIP Alumni
VIP Alumni

Hi Mahmood,

You're gonna have another problem here which is that ACL are stateless and that ip connectivity is a bidirectionnal process so for example with Najaf config you're going to block all IP traffic  from Network B to network A but also all return traffic in response to Network A initiated traffic so you'll end up blocking traffic in both directions.

  you can workaround this by allowing icmp replies and using the tcp established keyword  as well as return udp traffic if needed.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I have changed my access-list as

access-list 101 permit icmp any any

access-list 101 permit tcp 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

access-list 101 permit udp 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

access-list 101 deny tcp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

access-list 101 deny udp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

access-list 101 permit ip any any

Its working fine

Thanks alot

Hi Mahmood,

Glad that you have figured this out :-)

Regards

Najaf

Thanks for your co-operation

mehmoodch
Level 1
Level 1

Hi

I tested and still I cant acess from Net A to B and Net B to A

Only net A and B can ping each other. may be something wrong in the ACL

Hi,

no access-list 101

access-list 101 permit icmp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255 echo-reply

access-list 101 permit tcp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255 established

int vlan 24

ip access-group 101

Have you  got any routing protocol on Vlan24? if so don't forget to permit them  inbound too as well as telnet/shh to the switch SVI if you need  to.Concerning UDP you may have to permit return traffic if needed like  DNS replies, DHCP replies

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi Mahmood

I am also facing the same problem , unable to access from network A to network B vice versa.

Regards
Devendra

Sent from Cisco Technical Support iPhone App

mehmoodch
Level 1
Level 1

Hi

I applied the below access-list and now I can gom from A-B and not B to A

but one more problem arised that no PC can get IP addredd from DHCP.

I have to configure IP address manualy and DHCP stopped working

no access-list 101

access-list 101 permit icmp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255 echo-reply

access-list 101 permit tcp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255 established

int vlan 24

ip access-group 101

I think you must enable BOOTP messages from the network B clients to the network A server. Try this for starters:

permit udp any eq bootpc any eq bootps

You could also pin it down more afterwards.

Thanks for your reply

Still problem persists , unable to access network B from network A

Sent from Cisco Technical Support iPhone App

kek
Level 1
Level 1

Hi Mahmood

I have tried your below response but still I unable to access network from network A to network B.

One mor thing you have mentioned between the line
Int vlan 24
Ip access-group 101 ?
It will be inbound or outbound

Thanks for your reply

Regards
Devendra Singh

Sent from Cisco Technical Support iPhone App

it should be in