03-26-2009 11:45 AM - edited 03-06-2019 04:50 AM
Hi all. I am having trouble restricting communication between 2 VLAN's via ACL's. What I am trying to do is configure an ACL that allows VLAN-3 (10.10.30.0) to only be able to talk to 3 specific hosts on VLAN-2 (i.e. 10.10.20.15 - 10.10.20.17).
If I apply acl-30 to vlan-3's outbound, then I have full communication between the 2 networks - so I know the physical setup of the network is ok. However, if I apply acl-130 to vlan-3's outbound in replace of acl-30 then then ALL communication is blocked between the 2 VLAN's including the 3 specific hosts. I can however ping the gateways.
The following is the pertinent portion of my running config:
--------------------------------
interface Vlan2
ip address 10.10.20.1 255.255.255.0
ip access-group 20 out
ip access-group 21 in
ip nat inside
ip virtual-reassembly
!
interface Vlan3
ip address 10.10.30.1 255.255.255.0
ip access-group 130 out
ip access-group 31 in
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
!
access-list 20 permit 10.10.20.0 0.0.0.255
access-list 20 permit 10.10.30.0 0.0.0.255
!
access-list 21 permit 10.10.20.0 0.0.0.255
access-list 21 permit 10.10.30.0 0.0.0.255
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
access-list 30 permit 10.10.30.0 0.0.0.255
access-list 30 permit 10.10.20.0 0.0.0.255
!
access-list 31 permit 10.10.20.0 0.0.0.255
access-list 31 permit 10.10.30.0 0.0.0.255
!
access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.15
access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.16
access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.17
--------------------------------
Please advise.
Solved! Go to Solution.
03-26-2009 11:57 AM
You are applying acl 130 in the wrong direction.
inbound on an vlan interface is for traffic coming from hosts on that vlan
outbound on a vlan interface is for traffic going to hosts on that vlan
so you need to apply acl 130 inbound.
Jon
03-26-2009 01:58 PM
Can you post your updated config.
As for inbound/outbound think of it from the perspective of the vlan interface.
If a packet arrives inbound on the vlan interface then it has come from a client machine on that vlan. So when a client on that vlan transmits a packet destined for a machine on another vlan the client must send the packet to it's vlan interface ie. the packet arrives inbound on the vlan interface.
Outbound means any packet going to a client on that vlan. Again think of from the perspective of the vlan interface. If it needs to send a packet to client on it's own vlan it will send a packet out of it's interface.
Does this help ?
Jon
03-26-2009 11:57 AM
You are applying acl 130 in the wrong direction.
inbound on an vlan interface is for traffic coming from hosts on that vlan
outbound on a vlan interface is for traffic going to hosts on that vlan
so you need to apply acl 130 inbound.
Jon
03-26-2009 12:10 PM
Inbound on VLAN-3 ?
03-26-2009 12:12 PM
"Inbound on VLAN-3 ?"
Yes.
03-26-2009 12:36 PM
Ok, it is working, somewhat...
Sending a ping to .15 .16 or .17 works as expected. Sending a ping to a host that should not be allowed to communicate responds as follows:
#1 Ping from 10.10.30.4 to 10.10.20.9:
Reply from 10.10.20.9: bytes=32 time=3ms TTL=127
Reply from 10.10.30.1: Destination net unreachable
Reply from 10.10.20.9: bytes=32 time=3ms TTL=127
Reply from 10.10.30.1: Destination net unreachable
#2 Ping from 10.10.30.4 to 10.10.20.9:
Reply from 10.10.20.9: bytes=32 time=3ms TTL=127
Reply from 10.10.30.1: Destination net unreachable
Reply from 10.10.30.1: Destination net unreachable
Reply from 10.10.30.1: Destination net unreachable
#3 Ping from 10.10.30.4 to 10.10.20.9:
Request timed out.
Reply from 10.10.20.9: bytes=32 time=3ms TTL=127
Reply from 10.10.20.9: bytes=32 time=3ms TTL=127
Reply from 10.10.30.1: Destination net unreachable
Why the 3 different responses on 3 different pings. Shouldn't the communication be blocked at all times? Or did I ping too fast after issuing the command to the router?
Also can you explain the following a bit more:
"inbound on an vlan interface is for traffic coming from hosts on that vlan
outbound on a vlan interface is for traffic going to hosts on that vlan"
This was completely opposite from what I was thinking, and is a bit confusing.
03-26-2009 01:58 PM
Can you post your updated config.
As for inbound/outbound think of it from the perspective of the vlan interface.
If a packet arrives inbound on the vlan interface then it has come from a client machine on that vlan. So when a client on that vlan transmits a packet destined for a machine on another vlan the client must send the packet to it's vlan interface ie. the packet arrives inbound on the vlan interface.
Outbound means any packet going to a client on that vlan. Again think of from the perspective of the vlan interface. If it needs to send a packet to client on it's own vlan it will send a packet out of it's interface.
Does this help ?
Jon
03-26-2009 02:34 PM
Hey Jon,
How come he's got an inbound and outbound ACL per VLAN interface?
03-27-2009 05:51 AM
To accomplish what he wants all he needs is ACL 130 on the inbound direction .
nterface Vlan3
ip address 10.10.30.1 255.255.255.0
ip access-group 130 in
ip nat inside
ip virtual-reassembly
03-30-2009 09:23 AM
Thanks for the help Jon, and the explanation. I think I was just pinging the router too quickly (within 30 seconds) after I uploaded the config file. Everything seems to be working now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: