Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2231
Views
0
Helpful
6
Replies

ACL is not blocking traffic between VLANs

Go to solution
ALIAOF_
Level 6
Level 6

‎02-19-2013 01:58 PM - edited ‎03-07-2019 11:48 AM

I am trying to block traffic from one VLAN to other VLAN's and even  after applying an ACL with "deny ip any any" traffic is still going  through.  Here is my config:

Note:  Both switches are setup in a GLBP configuration

Access List:

ip access-list extended VLAN120_IN

deny ip 10.1.120.0 0.0.0.255 any

Switch 1:

interface vlan 120

ip access-group VLAN120_IN in

Switch 2:

interface vlan 120

ip access-group VLAN120_IN in

Now  when I do a ping to my own laptop and source it from vlan 120 like  this, "ping 10.1.136.72 source vlan 120" I get successful replies.  Any  idea what am I missing here?  Thank you

Note:  I even tried VLAN ACL setup same results.  I can ping the host from one switch(the one that is AVF) but not the the other.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pille1234
Level 3
Level 3

‎02-19-2013 05:18 PM

Hallo

Mohammad Ali schrieb:

Now  when I do a ping to my own laptop and source it from vlan 120 like  this, "ping 10.1.136.72 source vlan 120" I get successful replies.  Any  idea what am I missing here?  Thank you

That is expected behaviour. The ACL works only for traffic going through the switch, not for switch generated traffic. Try to ping the gateway from a host in vlan 120 and you will get a dest. unreachable message.

Pinging int vlan 120 from outside vlan 120 on the other hand will show you a successful answer.

Regards

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎02-19-2013 03:42 PM

If you are trying to block traffic from one vlan to another, try your access-group outbound and test again.

HTH

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to Reza Sharifi

‎02-20-2013 08:27 AM

I'm trying to block traffic from VLAN120 to other VLAN's.  So I applied the access-group in as that is supposed to be the traffic from the hosts on the 120VLAN to other VLAN's or is that wrong?

0 Helpful

Go to solution
Shirshendu Nandi
Level 1
Level 1

‎02-19-2013 04:31 PM

what is your Vlan 120 Ip adress range configured

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to Shirshendu Nandi

‎02-20-2013 08:28 AM

VLAN 120 IP range is 10.1.120.0/24

0 Helpful

Go to solution
pille1234
Level 3
Level 3

‎02-19-2013 05:18 PM

Hallo

Mohammad Ali schrieb:

Now  when I do a ping to my own laptop and source it from vlan 120 like  this, "ping 10.1.136.72 source vlan 120" I get successful replies.  Any  idea what am I missing here?  Thank you

That is expected behaviour. The ACL works only for traffic going through the switch, not for switch generated traffic. Try to ping the gateway from a host in vlan 120 and you will get a dest. unreachable message.

Pinging int vlan 120 from outside vlan 120 on the other hand will show you a successful answer.

Regards

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to pille1234

‎02-20-2013 08:53 AM

Thank you that was it .

0 Helpful
Customers Also Viewed These Support Documents