issues using acls with vlans on Catalyst 3560

Unanswered Question
Nov 6th, 2007
User Badges:

i have 4 vlans created using intervlan routing:

adm - 192.168.10.254

dev - 192.168.11.254

voice - 192.168.12.254

printers - 192.168.13.254


and a router (192.168.14.254) on interface FE0/1 (192.168.14.253) (used ip routing)


I want to block access from dev to adm but allow from adm to dev and all the remaining traffic.

I have created the following acls


access-list 100 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 permit ip any any


this acl argument where used in vlan dev in outbound.

ip access-group 100 out


this acl arguments come from the idea that a cisco switch would process the acl argument from top to bottom and when

a match is found it would stop processing the rest of acl arguments below.


i.e A host from 192.168.11.x trying to reach a host in 192.168.10.x sould match the acl:

access-list 100 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255

and stop processing the remaining arguments:

access-list 100 permit ip any any


but what really happens is that all traffic is allowed


P.S. This is the first time i am implementing acls so i think i might not grasped cisco acls behaviour so an explanation on

how acls works in this switch and a practical example would correct my misknowledge of acl behaviour.


any hints are welcome.


thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Tue, 11/06/2007 - 06:23
User Badges:
  • Red, 2250 points or more

Please check the following links on ACL's:

http://www.cisco.com/en/US/tech/tk648/tk361/tk821/tsd_technology_support_sub-protocol_home.html


Also, keep in mind that direction OUT means FROM the switch TO the network.

When looking at it like that, it is easier to understand that your acl 100 has source and destination in the wrong order.


regards,

Leo

Actions

This Discussion