Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1004
Views
5
Helpful
5
Replies

VLAN ACL not blocking traffic

Go to solution
meiser1985
Level 1
Level 1

‎02-07-2014 08:26 AM - edited ‎03-07-2019 06:05 PM

I am trying to restrict a VLAN120 from accessing VLAN504. Here is what I have.

VLAN120 10.1.50.0

VLAN504 10.1.98.0

Extended IP access list voip

    50 deny ip any 10.1.98.0 0.0.0.255

    100 permit ip any any

interface Vlan120

description

ip address 10.1.50.1 255.255.255.0

ip access-group voip out

When I set "ip access-group voip in" it will block reply packets from VLAN504 but I want to eliminate the packets from leaving VLAN120 to VLAN504.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-07-2014 12:59 PM

You need to apply the acl inbound on the vlan 120 interface and not outbound as you have.

Inbound means traffic coming from clients in that vlan. You have used "any" rather than the specific vlan 120 subnet but it doesn't matter.

Edit - if you apply it outbound to the vlan 120 interface as you have it should not block return packets because the destination IPs of the return packets would be 10.1.50.x so it would only match the permit line.

Jon

View solution in original post

5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-07-2014 12:40 PM

What kind if switch is this? Is IP routing enabled on this switch? Is this switch routing for vlan 120? How do you know that the access list is not blocking traffic (what is your test)?

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-07-2014 12:59 PM

You need to apply the acl inbound on the vlan 120 interface and not outbound as you have.

Inbound means traffic coming from clients in that vlan. You have used "any" rather than the specific vlan 120 subnet but it doesn't matter.

Edit - if you apply it outbound to the vlan 120 interface as you have it should not block return packets because the destination IPs of the return packets would be 10.1.50.x so it would only match the permit line.

Jon

Go to solution
glen.grant
VIP Alumni
VIP Alumni

‎02-07-2014 05:27 PM

  The way you have it written you would have had to put it on vlan 504 in the out direction, then it should work .   If you want to block it from leaving a vlan then it will always be in the  "in" direction.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to glen.grant

‎02-07-2014 05:31 PM

Glen

You could apply it outbound in the way you describe but you would probably want to change the "any" in the deny line otherwise you have just isolated that vlan from communicating with any other vlan as the permit line would never be matched.

Jon

0 Helpful

Go to solution
glen.grant
VIP Alumni
VIP Alumni
In response to Jon Marshall

‎02-07-2014 06:25 PM

  Your right Jon it should be the other vlan range instead of any . 

0 Helpful
Customers Also Viewed These Support Documents