Restricting traffic between VLANs...

imprise_server1 · ‎02-25-2014

Hi all;

Suppose I have the two following subnets:

Subnet A: 172.16.10.0/24

Subnet B: 172.16.20.0/24

Now I create the following access list:

IP Access-List Standard 10

deny 172.16.10.0 0.0.0.255

permit any

Now I applies the above ACL in VLAN 20 as follows:

ip access-group 10 in

But when I ping a system in VLAN 20 from VLAN 10, the ping operation is succesful!!!

Now I alter the the ACL as follows:

deny 172.16.10.0 0.0.255.255

permit any

In this case, when I apply the ACL on VLAN 20, the traffic between VLAN 10 and VLAN 20 is restricted...

Can any one explain this behavior?

Thanks

cadet alain · ‎02-25-2014

Hi,

You are using a standard ACL which only matches on source IP.

in first ACL you deny 172.16.10.x as source IPs but there never will be packets with these IPs as source that will enter VLAN 20 so the second line is hit which is permit any.

Now your second ACL is matching 172.16.x.x as source and in this case when 172.16.20.x is seen as source entering vlan 20 there is a hit and packet is denied.

Regards

Alain

Don't forget to rate helpful posts.

imprise_server1 · ‎02-26-2014

In both ACLs the clients are the same with same IP Addressing (one of them is 172.16.10.20/24 and another is 172.16.20.20/24). The same rule also applies when I use extended ACL.

Any ideas?

Thanks

cadet alain · ‎02-26-2014

Hi,

As I said before your first ACL is denying 172.16.10.x so when a source of 172.16.20.x is entering the interface with the ingress ACL, there is no hit on the deny as 3rd octet is not matching so it matches the next entry which is permit any.

Now in 2nd ACL when 172.16.20.x is entering the interface it matches the deny as you are denying 172.16.x.x

Regards

Alain

Don't forget to rate helpful posts.