Solved: ACL on SVI

ciscoenginner79 · ‎11-19-2017

Hi Guys.

i have issue with ACL on SVI. i know it was many times but pls help me on my exaple to better understand.

I have three vlans

10 Sales

20 Accouting

30 Marketing

Before applied ACL on SVI could ping all end devices. then:

appied ACL

ip access-list extended PERMIT_SALES_MARKETING
permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255

on

interface Vlan10
ip address 172.16.1.100 255.255.255.0
ip access-group PERMIT_SAL_MAR in

Worked as it shuld be

then :

applied next ACL

ip access-list extended PERMIT_ACC_SAL_MAR
permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255

on

interface Vlan20
ip address 172.16.2.100 255.255.255.0
ip access-group PERMIT_ACC_SAL_MAR out

and when i tried to ping end devices on vlan 20 i had

request time out.

Thanks for help

paul driver · ‎11-19-2017

Hello

@ciscoenginner79 wrote:
Hi Paul. You right. But is chance to allow vlan 20 reach vlan 10 but no vlan 10 to vlan 20.

So in that case you need to amend your RACLS

Try this if applicable to you
:

no ip access-list extended PERMIT_SALES_MARKETING
ip access-list extended PERMIT_SALES_MARKETING
permit ip 172.16.3.0 0.0.0.255 any
permit ip 172.16.2.0 0.0.0.255 any

interface Vlan10
ip address 172.16.1.100 255.255.255.0
no ip access-group PERMIT_SAL_MAR in
ip access-group PERMIT_SAL_MAR OUT

no ip access-list extended PERMIT_ACC_SAL_MAR
ip access-list extended PERMIT_ACC_SAL_MAR
permit tcp 172.16.1.0 0.0.0.255 any established (note only allow tcp connections)
deny tcp 192.168.1.0 0.0.0.255 any
permit ip 172.16.3.0 0.0.0.255 any

interface Vlan20
no ip access-group PERMIT_ACC_SAL_MAR IN
ip access-group PERMIT_ACC_SAL_MAR OUT

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎11-19-2017

From where are you pinging the end devices on Vlan 20, that is, what is your source IP address ?

ciscoenginner79 · ‎11-19-2017

Hi I ping from vlan 20 ip 172.16.2.11 to vlan 10 172.16.1.10.
Before applied second acl ping was ok

Georg Pauwen · ‎11-19-2017

Just to be sure, are you trying to apply both ACLs at the same time ? You can only apply one ACL inbound and one ACL outbound on the same interface.

To avoid confusion, can you post the full configuration of your device ?

ciscoenginner79 · ‎11-19-2017

One acl is on vlan 10 on one on vlan 20

ciscoenginner79 · ‎11-19-2017

the cofiguration is:

Current configuration : 2148 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree vlan 20 priority 24576
spanning-tree vlan 10 priority 28672
!
!
!
!
interface FastEthernet0/1
channel-group 1 mode on
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
channel-group 1 mode on
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 172.16.1.100 255.255.255.0
ip access-group PERMIT_SAL_MAR in
!
interface Vlan20
ip address 172.16.2.100 255.255.255.0
ip access-group PERMIT_ACC_SAL_MAR in
ip access-group PERMIT_ACC_SAL_MAR out
!
interface Vlan30
ip address 172.16.3.100 255.255.255.0
!
interface Vlan100
ip address 192.168.1.110 255.255.255.0
!
ip classless
!
!
ip access-list extended PERMIT_SALES_MARKETING
permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
ip access-list extended PERMIT_ACC_SAL_MAR
permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

Julio E. Moisa · ‎11-19-2017

Hi

It should be in

ip access-group PERMIT_ACC_SAL_MAR out <---- in instead out.

ICMP is reciprocal, it works in 2 ways, modify that and please try again

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ciscoenginner79 · ‎11-19-2017

hi changed on in and resoult this same request time out

Julio E. Moisa · ‎11-19-2017

ok can you apply this ACL and try again

access-list 100 permit ip any any

inter vlan 10

ip access-group 100 out

inter vlan 20

ip access-group 100 out

or try with instead ip any any:

access-list 100 permit icmp any any

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ciscoenginner79 · ‎11-19-2017

it works but i want to:

vlan10 access to vlan 30 only.

vlan20 access to vlan 10 and 30

vlan30 access to vlan 10 only.

I will send you configuration:

Current configuration : 2118 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
ip routing
!
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree vlan 20 priority 24576
spanning-tree vlan 10 priority 28672
!
!
!
!
interface FastEthernet0/1
channel-group 1 mode on
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/2
channel-group 1 mode on
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Port-channel 1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 172.16.1.100 255.255.255.0
ip access-group 100 out
!
interface Vlan20
ip address 172.16.2.100 255.255.255.0
ip access-group 100 out
!
interface Vlan30
ip address 172.16.3.100 255.255.255.0
!
interface Vlan100
ip address 192.168.1.110 255.255.255.0
!
ip classless
!
!
ip access-list extended PERMIT_SALES_MARKETING
permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
ip access-list extended PERMIT_ACC_SAL_MAR
permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 100 permit ip any any
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end

.

Julio E. Moisa · ‎11-19-2017

Ok for example, remove the ACL 100 from the SVI 10 it should be:

ip access-list extended PERMIT_SALES_MARKETING
permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255

ip access-list extended PERMIT_MARKETING_SALES

permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255

int vlan 10

ip access-group PERMIT_SALES_MARKETING in

ip access-group PERMIT_MARKETING_SALES out

nt vlan 30

ip access-group PERMIT_SALES_MARKETING out

ip access-group PERMIT_MARKETING_SALES in

Test communication between vlan 10 and 30

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ciscoenginner79 · ‎11-19-2017

Hi ping it fails

Julio E. Moisa · ‎11-19-2017

Please try again including these lines:

p access-list extended PERMIT_SALES_MARKETING
permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255

permit icmp 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255

ip access-list extended PERMIT_MARKETING_SALES

permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255

permit icmp 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Georg Pauwen · ‎11-19-2017

Hello,

i recreated your setup, and the access lists seem to work. That said, have a look at your configuration. It looks like you are applying a non-existent access list to interface Vlan 10...or is this a type

interface Vlan10
ip address 172.16.1.100 255.255.255.0
ip access-group PERMIT_SAL_MAR in

!

interface Vlan20
ip address 172.16.2.100 255.255.255.0
ip access-group PERMIT_ACC_SAL_MAR in
ip access-group PERMIT_ACC_SAL_MAR out
!
interface Vlan30
ip address 172.16.3.100 255.255.255.0
!
interface Vlan100
ip address 192.168.1.110 255.255.255.0
!
ip access-list extended PERMIT_SALES_MARKETING
permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
ip access-list extended PERMIT_ACC_SAL_MAR
permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255

ciscoenginner79 · ‎11-19-2017

ping from vlan 30 to valn 10 block by acl destination host unreachable
from vlan 10 to 30 request time out