Hi Alain Well your extended ACL works as designed, so thats just great, problem solved. However, i still dont understand why my standard acl dosent work? i am denying any, except 10.39.1.0/24... Richard, the goal was to seperate vlan 3 from vlan 2. The other way around dosent have any impact on functionality in this setup. Thanks for answers, i have a working setup now. But i'm still a little confused :-) // Simon
... View more
Hi there I've got a problem with an ACL that should seperate a guest network from an "corporate" network. I started out with the following: ! interface Vlan2 ip address 10.39.1.1 255.255.255.0 ! interface Vlan3 ip address 10.39.2.1 255.255.255.0 ! Both network working properly, no rocket science here... But i needed to seperate those two network. 10.39.2.0 should not be able to access 10.39.1.0. Therefor i created the following setup: ! interface Vlan2 ip address 10.39.1.1 255.255.255.0 ip access-group 2 in ! interface Vlan3 ip address 10.39.2.1 255.255.255.0 ! access-list 2 permit 10.39.1.0 0.0.0.255 access-list 2 deny any Should be straight forward, but this is the result when i am doing a ping ( 10.39.1.140 accepts icmp): rtr-1#ping 10.39.1.1 source vlan 3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.39.1.1, timeout is 2 seconds: Packet sent with a source address of 10.39.2.1 U.U.U Success rate is 0 percent (0/5) Very good.. I'm happy. but... rtr-1#ping 10.39.1.140 source vlan 3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.39.1.140, timeout is 2 seconds: Packet sent with a source address of 10.39.2.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms How is this possible? Hardware: C887VA-W-E-K9 Software: 15.1(4)M5 Am i just having a bad day, or is there a not logical explanation? Thanks in advance!
... View more