Solved: access list on inter vlan routing

mehmoodch · ‎12-12-2012

I implemented access list on cisco 3560 switch but it never works.

I want to block access from network B to Network A and allow from Ato B

Network A. 10.0.12.0/24

Network B 10.0.24.0/24

The configuration is

interface Vlan1

description Data VLAN

ip address 10.0.12.10 255.255.255.0

!

interface Vlan24

description training VLAN

ip address 10.0.24.10 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.0.12.1

ip http server

ip http secure-server

!

ip sla enable reaction-alerts

access-list 101 permit ip 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

access-list 101 deny ip 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

access-list 101 permit ip any any

Is there any idea that I can block access from 10.0.24.0/24 t0 10.0.12.0/24

kcnajaf · ‎12-12-2012

Hi Mahmood,

I can see that you have created the access-list but you have not applied this on the interface with "ip access-group" command. For this to work you need to apply the acl on the L3 interface as below.

So modify you configuration as below.

no access-list 101 permit ip 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

access-list 101 deny ip 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

access-list 101 permit ip any any

!

interface Vlan24

description training VLAN

ip address 10.0.24.10 255.255.255.0

ip access-group 101 in

Regards

Najaf

Please rate when applicable or helpful !!!

View solution in original post

cadet alain · ‎12-12-2012

Hi Mahmood,

You're gonna have another problem here which is that ACL are stateless and that ip connectivity is a bidirectionnal process so for example with Najaf config you're going to block all IP traffic from Network B to network A but also all return traffic in response to Network A initiated traffic so you'll end up blocking traffic in both directions.

you can workaround this by allowing icmp replies and using the tcp established keyword as well as return udp traffic if needed.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

kcnajaf · ‎12-12-2012

Hi Mahmood,

I can see that you have created the access-list but you have not applied this on the interface with "ip access-group" command. For this to work you need to apply the acl on the L3 interface as below.

So modify you configuration as below.

no access-list 101 permit ip 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

access-list 101 deny ip 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

access-list 101 permit ip any any

!

interface Vlan24

description training VLAN

ip address 10.0.24.10 255.255.255.0

ip access-group 101 in

Regards

Najaf

Please rate when applicable or helpful !!!

mehmoodch · ‎12-12-2012

Hi najaf

Thanks for yor reply

Its worked and blocked access from network B-A. But it blcoked access from network A-B as well but I want this access to be opened.

cadet alain · ‎12-12-2012

Hi Mahmood,

You're gonna have another problem here which is that ACL are stateless and that ip connectivity is a bidirectionnal process so for example with Najaf config you're going to block all IP traffic from Network B to network A but also all return traffic in response to Network A initiated traffic so you'll end up blocking traffic in both directions.

you can workaround this by allowing icmp replies and using the tcp established keyword as well as return udp traffic if needed.

Regards.

Alain

Don't forget to rate helpful posts.

mehmoodch · ‎12-12-2012

I have changed my access-list as

access-list 101 permit icmp any any

access-list 101 permit tcp 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

access-list 101 permit udp 10.0.12.0 0.0.0.255 10.0.24.0 0.0.0.255

access-list 101 deny tcp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

access-list 101 deny udp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255

access-list 101 permit ip any any

Its working fine

Thanks alot

kcnajaf · ‎12-12-2012

Hi Mahmood,

Glad that you have figured this out :-)

Regards

Najaf

mehmoodch · ‎12-12-2012

Thanks for your co-operation

mehmoodch · ‎12-14-2012

Hi

I tested and still I cant acess from Net A to B and Net B to A

Only net A and B can ping each other. may be something wrong in the ACL

cadet alain · ‎12-14-2012

Hi,

no access-list 101

access-list 101 permit icmp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255 echo-reply

access-list 101 permit tcp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255 established

int vlan 24

ip access-group 101

Have you got any routing protocol on Vlan24? if so don't forget to permit them inbound too as well as telnet/shh to the switch SVI if you need to.Concerning UDP you may have to permit return traffic if needed like DNS replies, DHCP replies

Regards.

Alain

Don't forget to rate helpful posts.

kek · ‎12-14-2012

Hi Mahmood

I am also facing the same problem , unable to access from network A to network B vice versa.

Regards
Devendra

Sent from Cisco Technical Support iPhone App

mehmoodch · ‎12-14-2012

Hi

I applied the below access-list and now I can gom from A-B and not B to A

but one more problem arised that no PC can get IP addredd from DHCP.

I have to configure IP address manualy and DHCP stopped working

no access-list 101

access-list 101 permit icmp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255 echo-reply

access-list 101 permit tcp 10.0.24.0 0.0.0.255 10.0.12.0 0.0.0.255 established

int vlan 24

ip access-group 101

shillings · ‎12-14-2012

I think you must enable BOOTP messages from the network B clients to the network A server. Try this for starters:

permit udp any eq bootpc any eq bootps

You could also pin it down more afterwards.

kek · ‎12-14-2012

Thanks for your reply

Still problem persists , unable to access network B from network A

Sent from Cisco Technical Support iPhone App

kek · ‎12-14-2012

Hi Mahmood

I have tried your below response but still I unable to access network from network A to network B.

One mor thing you have mentioned between the line
Int vlan 24
Ip access-group 101 ?
It will be inbound or outbound

Thanks for your reply

Regards
Devendra Singh

Sent from Cisco Technical Support iPhone App

mehmoodch · ‎12-14-2012

it should be in