cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
241
Views
0
Helpful
3
Replies
Highlighted
Beginner

ACL issue

Hello!

I am using a Catalyst 4506 with three vlans, I applied an ACL on one vlan that I want the traffic to get blocked but it is not working. Do you have an idea why? This is the config I have:

!

int vlan 5

description Vlan5
ip address 10.10.91.129 255.255.255.128
ip access-group 110 out
ip helper-address 172.21.100.50

int vlan 6

description Vlan6
ip address 10.10.128.1 255.255.255.0
ip helper-address 10.10.129.1
!

access-list 110 deny   ip 10.10.91.128 0.0.0.127 10.10.128.0 0.0.0.255

With this configuration I can still ping int vlan 6 sourcing traffic from vlan 6, which should not happened as the ACL on place should block the traffic...

#ping 10.10.128.1 so vlan 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.128.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.91.129
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Thanks!

3 REPLIES 3
Highlighted
Rising star

Re: ACL issue

ACL in wrong direction. Try

Int vlan 5

Access-group 110 in

Should fox it.

Sent from Cisco Technical Support iPhone App

Highlighted

Re: ACL issue

Hi,

YES, you need to apply the access-list in below direction.

Int vlan 5
Access-group 110 in


See the below difference between ip access-group in & out.

When you apply an ACL "in", the router examines all traffic it RECEIVES on the interface against the ACL.

When you apply an ACL "out" on an interface the router examines any traffic attempting to leave that interface against the ACL.


Please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

Highlighted

Re: ACL issue

Any way you apply that ACL will have no impact on the traffic generated locally.

You can test this by connecting a PC to Vlan 5 and try pinging from that PC. You will see that applying the ACL on outbound direction will have no impact. If you apply the ACL inbound you will see the traffic being denied ( %SEC-6-IPACCESSLOGDP: list 110 denied icmp 10.10.91.130 -> 10.10.128.1 (0/0), 1 packet). I've used 10.10.91.130 for that PC.

BTW: be careful that if your ACL has only deny statements will drop all the traffic as it has an implicit deny any at the end.

Content for Community-Ad