Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1317
Views
0
Helpful
9
Replies

VLAN ACL problem

Go to solution
radoslav-drabik
Level 1
Level 1

ā€Ž11-16-2012 08:17 AM - edited ā€Ž03-07-2019 10:05 AM

Hello,

I know there are many posts here about VLAN ACL problem but I still cannot understand how it works.

I am trying to block access to server 8.8.8.8 for the host on VLAN 100 (host IP: 10.0.0.1). See my topology&config below. I have tried to place the  VLAN access list named "Block" on Vlan 100, in direction but it didn't work. The PC's default gatewy is SVI 100 IP address.

Can somebody explain it to me?

IOS: c2960s-universalk9-mz.122-58.SE1.bin

Interface vlan 10

ip address 192.168.10.1 255.255.2550

Interface vlan 100

Ip address 10.0.0.1 255.255.255.0

ip access-group Block in            <-it should block access to server 8.8.8.8 from 10.0.0.1

ip access-list extended block

deny   ip host 10.0.0.1 host 8.8.8.8

deny   ip host 10.0.0.1 host 8.8.8.8

permit ip any any

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to radoslav-drabik

ā€Ž11-19-2012 07:26 AM

The block access list is applied to the wrong vlan. You should apply it to vlan401 interface and you should be good...

From an "In" perspective, it is for hosts that are on the subnet that the vlan interface supports. Your vlan11 supports hosts in the 10.0.1.x range. Hosts in that range (10.0.1.17 - 10.0.1.22) would be affected by an "in" acl on vlan 11, but no other ranges.

HTH,

John

*** Please rate useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Abzal
Level 7
Level 7

ā€Ž11-16-2012 08:35 AM

Hi,

The ACL looks ok for me, but name of ACL different on interface and ACL configured. Access list names are case sensitive. Try this:

Interface vlan 100

Ip address 10.0.0.1 255.255.255.0

ip access-group block in           

ip access-list extended block

deny   ip host 10.0.0.1 host 8.8.8.8

deny   ip host 10.0.0.1 host 8.8.8.8

permit ip any any

Hope it will help.

Please rate helpful posts.

Best regards,
Abzal
0 Helpful

Go to solution
radoslav-drabik
Level 1
Level 1
In response to Abzal

ā€Ž11-16-2012 09:30 AM

Hi..sorry. that was just a typo. The names match.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to radoslav-drabik

ā€Ž11-16-2012 09:32 AM

Can you post your switch config?

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Abzal
Level 7
Level 7
In response to radoslav-drabik

ā€Ž11-16-2012 09:57 AM

Ok, what about ip address of host in ACL are trying to block access to your default gateway of VLAN 10.0.0.1?
Yes, like this ACL won't work. Host ip address in ACL. After that try to check.

If you want to block all hosts:

ip access-list extended block

deny   ip any host 8.8.8.8

permit ip any any

Hope it will help.

Sent from Cisco Technical Support iPhone App

Best regards,
Abzal
0 Helpful

Go to solution
Henrik Grankvist
Level 4
Level 4
In response to Abzal

ā€Ž11-16-2012 12:25 PM

From what I can see from the picture, the PC and interface vlan 100 have the same IP address?

Changing that should fix it.

0 Helpful

Go to solution
glen.grant
VIP Alumni
VIP Alumni
In response to Henrik Grankvist

ā€Ž11-16-2012 01:37 PM

  Good catch you can't have the pc address the same as your default gateway for the subnet.  Change the pc something like .2 and readjust your acl to reflect that.

0 Helpful

Go to solution
radoslav-drabik
Level 1
Level 1
In response to glen.grant

ā€Ž11-16-2012 02:32 PM

They don't have the same IPs. It is an another type . I will paste a config file tomorrow. Thanks.

0 Helpful

Go to solution
radoslav-drabik
Level 1
Level 1
In response to radoslav-drabik

ā€Ž11-19-2012 07:17 AM

Hi again,

It seems to be working now. I found a mistake in access list "block". I was allowing the whole network and then blocking few hosts. When I turned it around it started to work.

ip access-list extended block

permit ip 10.0.0.0  0.0.0.255 any

deny   ip host 10.0.0.194 host 8.8.8.8

permit ip any any

working:

ip access-list extended block

deny   ip host 10.0.0.194 host 8.8.8.8

permit ip 10.0.0.0  0.0.0.255 any

permit ip any any

But I have another scenario which I don't understand. I am trying to place an access list on the uplink VLAN interface 11. Here is the config.

interface GigabitEthernet1/0/2    <- To host

description Voice gateway

switchport access vlan 401

switchport mode access

!

interface GigabitEthernet1/0/25  <- To uplink

description UPLINK

switchport access vlan 11

switchport mode access

!

interface Vlan401                         <- VLAN for hosts

ip address 10.0.0.193 255.255.255.192

!

interface Vlan11                           <- VLAN for Uplink

description UPLINK VLAN

ip access-group block in

ip access-group block in

ip address 10.0.1.18 255.255.255.248

!

switch#show ip route

....

S*    0.0.0.0/0 [1/0] via 10.0.1.17

ip access-list extended block

deny   ip host 10.0.0.194 host 8.8.8.8     <- it doesn't seem to block the traffic to host 8.8.8.8

permit ip any any

Is it because it doesn't cross the VLAN interface. Am I right?

Thanks

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to radoslav-drabik

ā€Ž11-19-2012 07:26 AM

The block access list is applied to the wrong vlan. You should apply it to vlan401 interface and you should be good...

From an "In" perspective, it is for hosts that are on the subnet that the vlan interface supports. Your vlan11 supports hosts in the 10.0.1.x range. Hosts in that range (10.0.1.17 - 10.0.1.22) would be affected by an "in" acl on vlan 11, but no other ranges.

HTH,

John

*** Please rate useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card