cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
741
Views
5
Helpful
8
Replies

Trouble setting ACL between two VLAN's

PowisCorp
Level 1
Level 1

Hi all. I am having trouble restricting communication between 2 VLAN's via ACL's. What I am trying to do is configure an ACL that allows VLAN-3 (10.10.30.0) to only be able to talk to 3 specific hosts on VLAN-2 (i.e. 10.10.20.15 - 10.10.20.17).

If I apply acl-30 to vlan-3's outbound, then I have full communication between the 2 networks - so I know the physical setup of the network is ok. However, if I apply acl-130 to vlan-3's outbound in replace of acl-30 then then ALL communication is blocked between the 2 VLAN's including the 3 specific hosts. I can however ping the gateways.

The following is the pertinent portion of my running config:

--------------------------------

interface Vlan2

ip address 10.10.20.1 255.255.255.0

ip access-group 20 out

ip access-group 21 in

ip nat inside

ip virtual-reassembly

!

interface Vlan3

ip address 10.10.30.1 255.255.255.0

ip access-group 130 out

ip access-group 31 in

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0 overload

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 1 permit 10.10.20.0 0.0.0.255

access-list 1 permit 10.10.30.0 0.0.0.255

!

access-list 20 permit 10.10.20.0 0.0.0.255

access-list 20 permit 10.10.30.0 0.0.0.255

!

access-list 21 permit 10.10.20.0 0.0.0.255

access-list 21 permit 10.10.30.0 0.0.0.255

!

access-list 23 permit 10.10.10.0 0.0.0.7

!

access-list 30 permit 10.10.30.0 0.0.0.255

access-list 30 permit 10.10.20.0 0.0.0.255

!

access-list 31 permit 10.10.20.0 0.0.0.255

access-list 31 permit 10.10.30.0 0.0.0.255

!

access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.15

access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.16

access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.17

--------------------------------

Please advise.

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

You are applying acl 130 in the wrong direction.

inbound on an vlan interface is for traffic coming from hosts on that vlan

outbound on a vlan interface is for traffic going to hosts on that vlan

so you need to apply acl 130 inbound.

Jon

View solution in original post

Can you post your updated config.

As for inbound/outbound think of it from the perspective of the vlan interface.

If a packet arrives inbound on the vlan interface then it has come from a client machine on that vlan. So when a client on that vlan transmits a packet destined for a machine on another vlan the client must send the packet to it's vlan interface ie. the packet arrives inbound on the vlan interface.

Outbound means any packet going to a client on that vlan. Again think of from the perspective of the vlan interface. If it needs to send a packet to client on it's own vlan it will send a packet out of it's interface.

Does this help ?

Jon

View solution in original post

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

You are applying acl 130 in the wrong direction.

inbound on an vlan interface is for traffic coming from hosts on that vlan

outbound on a vlan interface is for traffic going to hosts on that vlan

so you need to apply acl 130 inbound.

Jon

Inbound on VLAN-3 ?

"Inbound on VLAN-3 ?"

Yes.

Ok, it is working, somewhat...

Sending a ping to .15 .16 or .17 works as expected. Sending a ping to a host that should not be allowed to communicate responds as follows:

#1 Ping from 10.10.30.4 to 10.10.20.9:

Reply from 10.10.20.9: bytes=32 time=3ms TTL=127

Reply from 10.10.30.1: Destination net unreachable

Reply from 10.10.20.9: bytes=32 time=3ms TTL=127

Reply from 10.10.30.1: Destination net unreachable

#2 Ping from 10.10.30.4 to 10.10.20.9:

Reply from 10.10.20.9: bytes=32 time=3ms TTL=127

Reply from 10.10.30.1: Destination net unreachable

Reply from 10.10.30.1: Destination net unreachable

Reply from 10.10.30.1: Destination net unreachable

#3 Ping from 10.10.30.4 to 10.10.20.9:

Request timed out.

Reply from 10.10.20.9: bytes=32 time=3ms TTL=127

Reply from 10.10.20.9: bytes=32 time=3ms TTL=127

Reply from 10.10.30.1: Destination net unreachable

Why the 3 different responses on 3 different pings. Shouldn't the communication be blocked at all times? Or did I ping too fast after issuing the command to the router?

Also can you explain the following a bit more:

"inbound on an vlan interface is for traffic coming from hosts on that vlan

outbound on a vlan interface is for traffic going to hosts on that vlan"

This was completely opposite from what I was thinking, and is a bit confusing.

Can you post your updated config.

As for inbound/outbound think of it from the perspective of the vlan interface.

If a packet arrives inbound on the vlan interface then it has come from a client machine on that vlan. So when a client on that vlan transmits a packet destined for a machine on another vlan the client must send the packet to it's vlan interface ie. the packet arrives inbound on the vlan interface.

Outbound means any packet going to a client on that vlan. Again think of from the perspective of the vlan interface. If it needs to send a packet to client on it's own vlan it will send a packet out of it's interface.

Does this help ?

Jon

Hey Jon,

How come he's got an inbound and outbound ACL per VLAN interface?

To accomplish what he wants all he needs is ACL 130 on the inbound direction .

nterface Vlan3

ip address 10.10.30.1 255.255.255.0

ip access-group 130 in

ip nat inside

ip virtual-reassembly

Thanks for the help Jon, and the explanation. I think I was just pinging the router too quickly (within 30 seconds) after I uploaded the config file. Everything seems to be working now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco