Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
3
Replies

ACL issue

hugoramirez
Level 1
Level 1

‎05-05-2011 03:06 PM - edited ‎03-06-2019 04:55 PM

Hello!

I am using a Catalyst 4506 with three vlans, I applied an ACL on one vlan that I want the traffic to get blocked but it is not working. Do you have an idea why? This is the config I have:

!

int vlan 5

description Vlan5
ip address 10.10.91.129 255.255.255.128
ip access-group 110 out
ip helper-address 172.21.100.50

int vlan 6

description Vlan6
ip address 10.10.128.1 255.255.255.0
ip helper-address 10.10.129.1
!

access-list 110 deny   ip 10.10.91.128 0.0.0.127 10.10.128.0 0.0.0.255

With this configuration I can still ping int vlan 6 sourcing traffic from vlan 6, which should not happened as the ACL on place should block the traffic...

#ping 10.10.128.1 so vlan 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.128.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.91.129
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Thanks!

Labels:
0 Helpful
3 Replies 3

Antonio Knox
Level 7
Level 7

‎05-05-2011 06:01 PM

ACL in wrong direction. Try

Int vlan 5

Access-group 110 in

Should fox it.

Sent from Cisco Technical Support iPhone App

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to Antonio Knox

‎05-06-2011 12:07 AM

Hi,

YES, you need to apply the access-list in below direction.

Int vlan 5
Access-group 110 in


See the below difference between ip access-group in & out.

When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.

When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.


Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

0 Helpful

Vlad Ovidiu Coras
Level 1
Level 1
In response to Latchum Naidu

‎05-06-2011 12:46 AM

Any way you apply that ACL will have no impact on the traffic generated locally.

You can test this by connecting a PC to Vlan 5 and try pinging from that PC. You will see that applying the ACL on outbound direction will have no impact. If you apply the ACL inbound you will see the traffic being denied ( %SEC-6-IPACCESSLOGDP: list 110 denied icmp 10.10.91.130 -> 10.10.128.1 (0/0), 1 packet). I've used 10.10.91.130 for that PC.

BTW: be careful that if your ACL has only deny statements will drop all the traffic as it has an implicit deny any at the end.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card