Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
889
Views
0
Helpful
5
Replies

IP Access-list applied outbound is blocking traffic inbound

CSCO12322782
Level 1
Level 1

‎03-28-2019 07:59 AM

!
interface Vlan304
ip address 10.34.4.1 255.255.255.0
ip helper-address 10.34.0.32
no ip redirects
ntp broadcast client
!
interface Vlan305
description 5Th Floor Closet B
ip address 10.34.5.1 255.255.255.0
ip access-group SEC-SEGMENTATION-L1 out
ip helper-address 10.34.0.32
no ip redirects
ntp broadcast client
!

Even thought the ACL is applied out the access is being blocked from vlan 304 to vlan 305 on the same switch.

Labels:
0 Helpful
5 Replies 5

Seb Rupik
VIP Alumni
VIP Alumni

‎03-28-2019 08:03 AM

Hi there,

it is probably the return traffic which is being blocked. Remember it is not a stateful firewall.

 

Care to share the contents of the ACL?

 

cheers,

Seb.

0 Helpful

amikat
Level 7
Level 7

‎03-28-2019 03:08 PM

Hi,

Please note that an ACL applied outbound on the Vlan305 interface filters traffic to clients/machines on that vlan. Consequently your SEC-SEGMENTATION-L1 ACL filters traffic from anywhere (including Vlan304) to the Vlan305 clients/machines.

Best regards,

Antonin

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-28-2019 10:06 PM

Hi,

interface Vlan305
ip access-group SEC-SEGMENTATION-L1 out

Here is the word "OUT" is saying that any traffic which is Going FROM VLAN 305 to 304 will scan and blocked if required.

Even thought the ACL is applied out the access is being blocked from vlan 304 to vlan 305 on the same switch

Something seems wrong in the ACL configuration. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Deepak Kumar

‎03-29-2019 03:49 AM

"Here is the word "OUT" is saying that any traffic which is Going FROM VLAN 305 to 304 will scan and blocked if required."

BTW, believe Antonin is correct, i.e. it's traffic going to VLAN 305, not from it.
0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-29-2019 03:45 AM - edited ‎03-29-2019 03:47 AM

"Even thought the ACL is applied out the access is being blocked from vlan 304 to vlan 305 on the same switch."

Well, as Seb asked, without seeing your ACL, cannot say why it's happening. However, (as also noted by Antonin) traffic going to VLAN 305 ports would be subject to the "out", so traffic from VLAN 304 would be subject to the "out" ACL on VLAN 305. Also as noted by Seb, assuming there's two way traffic between VLANs 304 and 305, the ACL on VLAN 305 will process at least one "direction" of that traffic. I.e. VLAN 304 to 305 would be processed by the ACL as would VLAN 305 to 304's return traffic.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card