cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1005
Views
0
Helpful
9
Replies

VLAN ACL problem

radoslav-drabik
Beginner
Beginner

Hello,

I know there are many posts here about VLAN ACL problem but I still cannot understand how it works.

I am trying to block access to server 8.8.8.8 for the host on VLAN 100 (host IP: 10.0.0.1). See my topology&config below. I have tried to place the  VLAN access list named "Block" on Vlan 100, in direction but it didn't work. The PC's default gatewy is SVI 100 IP address.

Can somebody explain it to me?

IOS: c2960s-universalk9-mz.122-58.SE1.bin

Interface vlan 10

ip address 192.168.10.1 255.255.2550

Interface vlan 100

Ip address 10.0.0.1 255.255.255.0

ip access-group Block in            <-it should block access to server 8.8.8.8 from 10.0.0.1

ip access-list extended block

deny   ip host 10.0.0.1 host 8.8.8.8

deny   ip host 10.0.0.1 host 8.8.8.8

permit ip any any

1 Accepted Solution

Accepted Solutions

The block access list is applied to the wrong vlan. You should apply it to vlan401 interface and you should be good...

From an "In" perspective, it is for hosts that are on the subnet that the vlan interface supports. Your vlan11 supports hosts in the 10.0.1.x range. Hosts in that range (10.0.1.17 - 10.0.1.22) would be affected by an "in" acl on vlan 11, but no other ranges.

HTH,

John

*** Please rate useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

9 Replies 9

Abzal
Rising star
Rising star

Hi,

The ACL looks ok for me, but name of ACL different on interface and ACL configured. Access list names are case sensitive. Try this:

Interface vlan 100

Ip address 10.0.0.1 255.255.255.0

ip access-group block in           

ip access-list extended block

deny   ip host 10.0.0.1 host 8.8.8.8

deny   ip host 10.0.0.1 host 8.8.8.8

permit ip any any

Hope it will help.

Please rate helpful posts.

Best regards,
Abzal

Hi..sorry. that was just a typo. The names match.