05-05-2011 03:06 PM - edited 03-06-2019 04:55 PM
Hello!
I am using a Catalyst 4506 with three vlans, I applied an ACL on one vlan that I want the traffic to get blocked but it is not working. Do you have an idea why? This is the config I have:
!
int vlan 5
description Vlan5
ip address 10.10.91.129 255.255.255.128
ip access-group 110 out
ip helper-address 172.21.100.50
int vlan 6
description Vlan6
ip address 10.10.128.1 255.255.255.0
ip helper-address 10.10.129.1
!
access-list 110 deny ip 10.10.91.128 0.0.0.127 10.10.128.0 0.0.0.255
With this configuration I can still ping int vlan 6 sourcing traffic from vlan 6, which should not happened as the ACL on place should block the traffic...
#ping 10.10.128.1 so vlan 5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.128.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.91.129
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Thanks!
05-05-2011 06:01 PM
ACL in wrong direction. Try
Int vlan 5
Access-group 110 in
Should fox it.
Sent from Cisco Technical Support iPhone App
05-06-2011 12:07 AM
Hi,
YES, you need to apply the access-list in below direction.
Int vlan 5
Access-group 110 in
See the below difference between ip access-group in & out.
When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.
When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.
Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.
05-06-2011 12:46 AM
Any way you apply that ACL will have no impact on the traffic generated locally.
You can test this by connecting a PC to Vlan 5 and try pinging from that PC. You will see that applying the ACL on outbound direction will have no impact. If you apply the ACL inbound you will see the traffic being denied ( %SEC-6-IPACCESSLOGDP: list 110 denied icmp 10.10.91.130 -> 10.10.128.1 (0/0), 1 packet). I've used 10.10.91.130 for that PC.
BTW: be careful that if your ACL has only deny statements will drop all the traffic as it has an implicit deny any at the end.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide