Trouble setting ACL between two VLAN's

Answered Question
Mar 26th, 2009

Hi all. I am having trouble restricting communication between 2 VLAN's via ACL's. What I am trying to do is configure an ACL that allows VLAN-3 (10.10.30.0) to only be able to talk to 3 specific hosts on VLAN-2 (i.e. 10.10.20.15 - 10.10.20.17).

If I apply acl-30 to vlan-3's outbound, then I have full communication between the 2 networks - so I know the physical setup of the network is ok. However, if I apply acl-130 to vlan-3's outbound in replace of acl-30 then then ALL communication is blocked between the 2 VLAN's including the 3 specific hosts. I can however ping the gateways.

The following is the pertinent portion of my running config:

--------------------------------

interface Vlan2

ip address 10.10.20.1 255.255.255.0

ip access-group 20 out

ip access-group 21 in

ip nat inside

ip virtual-reassembly

!

interface Vlan3

ip address 10.10.30.1 255.255.255.0

ip access-group 130 out

ip access-group 31 in

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0 overload

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 1 permit 10.10.20.0 0.0.0.255

access-list 1 permit 10.10.30.0 0.0.0.255

!

access-list 20 permit 10.10.20.0 0.0.0.255

access-list 20 permit 10.10.30.0 0.0.0.255

!

access-list 21 permit 10.10.20.0 0.0.0.255

access-list 21 permit 10.10.30.0 0.0.0.255

!

access-list 23 permit 10.10.10.0 0.0.0.7

!

access-list 30 permit 10.10.30.0 0.0.0.255

access-list 30 permit 10.10.20.0 0.0.0.255

!

access-list 31 permit 10.10.20.0 0.0.0.255

access-list 31 permit 10.10.30.0 0.0.0.255

!

access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.15

access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.16

access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.17

--------------------------------

Please advise.

Correct Answer by Jon Marshall about 7 years 11 months ago

Can you post your updated config.

As for inbound/outbound think of it from the perspective of the vlan interface.

If a packet arrives inbound on the vlan interface then it has come from a client machine on that vlan. So when a client on that vlan transmits a packet destined for a machine on another vlan the client must send the packet to it's vlan interface ie. the packet arrives inbound on the vlan interface.

Outbound means any packet going to a client on that vlan. Again think of from the perspective of the vlan interface. If it needs to send a packet to client on it's own vlan it will send a packet out of it's interface.

Does this help ?

Jon

Correct Answer by Jon Marshall about 7 years 11 months ago

You are applying acl 130 in the wrong direction.

inbound on an vlan interface is for traffic coming from hosts on that vlan

outbound on a vlan interface is for traffic going to hosts on that vlan

so you need to apply acl 130 inbound.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 03/26/2009 - 11:57

You are applying acl 130 in the wrong direction.

inbound on an vlan interface is for traffic coming from hosts on that vlan

outbound on a vlan interface is for traffic going to hosts on that vlan

so you need to apply acl 130 inbound.

Jon

PowisCorp Thu, 03/26/2009 - 12:36

Ok, it is working, somewhat...

Sending a ping to .15 .16 or .17 works as expected. Sending a ping to a host that should not be allowed to communicate responds as follows:

#1 Ping from 10.10.30.4 to 10.10.20.9:

Reply from 10.10.20.9: bytes=32 time=3ms TTL=127

Reply from 10.10.30.1: Destination net unreachable

Reply from 10.10.20.9: bytes=32 time=3ms TTL=127

Reply from 10.10.30.1: Destination net unreachable

#2 Ping from 10.10.30.4 to 10.10.20.9:

Reply from 10.10.20.9: bytes=32 time=3ms TTL=127

Reply from 10.10.30.1: Destination net unreachable

Reply from 10.10.30.1: Destination net unreachable

Reply from 10.10.30.1: Destination net unreachable

#3 Ping from 10.10.30.4 to 10.10.20.9:

Request timed out.

Reply from 10.10.20.9: bytes=32 time=3ms TTL=127

Reply from 10.10.20.9: bytes=32 time=3ms TTL=127

Reply from 10.10.30.1: Destination net unreachable

Why the 3 different responses on 3 different pings. Shouldn't the communication be blocked at all times? Or did I ping too fast after issuing the command to the router?

Also can you explain the following a bit more:

"inbound on an vlan interface is for traffic coming from hosts on that vlan

outbound on a vlan interface is for traffic going to hosts on that vlan"

This was completely opposite from what I was thinking, and is a bit confusing.

Correct Answer
Jon Marshall Thu, 03/26/2009 - 13:58

Can you post your updated config.

As for inbound/outbound think of it from the perspective of the vlan interface.

If a packet arrives inbound on the vlan interface then it has come from a client machine on that vlan. So when a client on that vlan transmits a packet destined for a machine on another vlan the client must send the packet to it's vlan interface ie. the packet arrives inbound on the vlan interface.

Outbound means any packet going to a client on that vlan. Again think of from the perspective of the vlan interface. If it needs to send a packet to client on it's own vlan it will send a packet out of it's interface.

Does this help ?

Jon

glen.grant Fri, 03/27/2009 - 05:51

To accomplish what he wants all he needs is ACL 130 on the inbound direction .

nterface Vlan3

ip address 10.10.30.1 255.255.255.0

ip access-group 130 in

ip nat inside

ip virtual-reassembly

PowisCorp Mon, 03/30/2009 - 09:23

Thanks for the help Jon, and the explanation. I think I was just pinging the router too quickly (within 30 seconds) after I uploaded the config file. Everything seems to be working now.

Actions

This Discussion