cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1651
Views
0
Helpful
9
Replies

VLAN ACL problem

radoslav-drabik
Level 1
Level 1

Hello,

I know there are many posts here about VLAN ACL problem but I still cannot understand how it works.

I am trying to block access to server 8.8.8.8 for the host on VLAN 100 (host IP: 10.0.0.1). See my topology&config below. I have tried to place the  VLAN access list named "Block" on Vlan 100, in direction but it didn't work. The PC's default gatewy is SVI 100 IP address.

Can somebody explain it to me?

IOS: c2960s-universalk9-mz.122-58.SE1.bin

Interface vlan 10

ip address 192.168.10.1 255.255.2550

Interface vlan 100

Ip address 10.0.0.1 255.255.255.0

ip access-group Block in            <-it should block access to server 8.8.8.8 from 10.0.0.1

ip access-list extended block

deny   ip host 10.0.0.1 host 8.8.8.8

deny   ip host 10.0.0.1 host 8.8.8.8

permit ip any any

1 Accepted Solution

Accepted Solutions

The block access list is applied to the wrong vlan. You should apply it to vlan401 interface and you should be good...

From an "In" perspective, it is for hosts that are on the subnet that the vlan interface supports. Your vlan11 supports hosts in the 10.0.1.x range. Hosts in that range (10.0.1.17 - 10.0.1.22) would be affected by an "in" acl on vlan 11, but no other ranges.

HTH,

John

*** Please rate useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

9 Replies 9

Abzal
Level 7
Level 7

Hi,

The ACL looks ok for me, but name of ACL different on interface and ACL configured. Access list names are case sensitive. Try this:

Interface vlan 100

Ip address 10.0.0.1 255.255.255.0

ip access-group block in           

ip access-list extended block

deny   ip host 10.0.0.1 host 8.8.8.8

deny   ip host 10.0.0.1 host 8.8.8.8

permit ip any any

Hope it will help.

Please rate helpful posts.

Best regards,
Abzal

Hi..sorry. that was just a typo. The names match.

Can you post your switch config?

HTH, John *** Please rate all useful posts ***

Ok, what about ip address of host in ACL are trying to block access to your default gateway of VLAN 10.0.0.1?
Yes, like this ACL won't work. Host ip address in ACL. After that try to check.

If you want to block all hosts:

ip access-list extended block

deny   ip any host 8.8.8.8

permit ip any any

Hope it will help.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal

From what I can see from the picture, the PC and interface vlan 100 have the same IP address?

Changing that should fix it.

  Good catch you can't have the pc address the same as your default gateway for the subnet.  Change the pc something like .2 and readjust your acl to reflect that.

They don't have the same IPs. It is an another type . I will paste a config file tomorrow. Thanks.

Hi again,

It seems to be working now. I found a mistake in access list "block". I was allowing the whole network and then blocking few hosts. When I turned it around it started to work.

ip access-list extended block

permit ip 10.0.0.0  0.0.0.255 any

deny   ip host 10.0.0.194 host 8.8.8.8

permit ip any any

working:

ip access-list extended block

deny   ip host 10.0.0.194 host 8.8.8.8

permit ip 10.0.0.0  0.0.0.255 any

permit ip any any

But I have another scenario which I don't understand. I am trying to place an access list on the uplink VLAN interface 11. Here is the config.

interface GigabitEthernet1/0/2    <- To host

description Voice gateway

switchport access vlan 401

switchport mode access

!

interface GigabitEthernet1/0/25  <- To uplink

description UPLINK

switchport access vlan 11

switchport mode access

!

interface Vlan401                         <- VLAN for hosts

ip address 10.0.0.193 255.255.255.192

!

interface Vlan11                           <- VLAN for Uplink

description UPLINK VLAN

ip access-group block in

ip access-group block in

ip address 10.0.1.18 255.255.255.248

!

switch#show ip route

....

S*    0.0.0.0/0 [1/0] via 10.0.1.17

ip access-list extended block

deny   ip host 10.0.0.194 host 8.8.8.8     <- it doesn't seem to block the traffic to host 8.8.8.8

permit ip any any

Is it because it doesn't cross the VLAN interface. Am I right?

Thanks

The block access list is applied to the wrong vlan. You should apply it to vlan401 interface and you should be good...

From an "In" perspective, it is for hosts that are on the subnet that the vlan interface supports. Your vlan11 supports hosts in the 10.0.1.x range. Hosts in that range (10.0.1.17 - 10.0.1.22) would be affected by an "in" acl on vlan 11, but no other ranges.

HTH,

John

*** Please rate useful posts ***

HTH, John *** Please rate all useful posts ***
Review Cisco Networking for a $25 gift card