03-26-2009 11:45 AM - edited 03-06-2019 04:50 AM
Hi all. I am having trouble restricting communication between 2 VLAN's via ACL's. What I am trying to do is configure an ACL that allows VLAN-3 (10.10.30.0) to only be able to talk to 3 specific hosts on VLAN-2 (i.e. 10.10.20.15 - 10.10.20.17).
If I apply acl-30 to vlan-3's outbound, then I have full communication between the 2 networks - so I know the physical setup of the network is ok. However, if I apply acl-130 to vlan-3's outbound in replace of acl-30 then then ALL communication is blocked between the 2 VLAN's including the 3 specific hosts. I can however ping the gateways.
The following is the pertinent portion of my running config:
--------------------------------
interface Vlan2
ip address 10.10.20.1 255.255.255.0
ip access-group 20 out
ip access-group 21 in
ip nat inside
ip virtual-reassembly
!
interface Vlan3
ip address 10.10.30.1 255.255.255.0
ip access-group 130 out
ip access-group 31 in
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
!
access-list 20 permit 10.10.20.0 0.0.0.255
access-list 20 permit 10.10.30.0 0.0.0.255
!
access-list 21 permit 10.10.20.0 0.0.0.255
access-list 21 permit 10.10.30.0 0.0.0.255
!
access-list 23 permit 10.10.10.0 0.0.0.7
!
access-list 30 permit 10.10.30.0 0.0.0.255
access-list 30 permit 10.10.20.0 0.0.0.255
!
access-list 31 permit 10.10.20.0 0.0.0.255
access-list 31 permit 10.10.30.0 0.0.0.255
!
access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.15
access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.16
access-list 130 permit ip 10.10.30.0 0.0.0.255 host 10.10.20.17
--------------------------------
Please advise.
Solved! Go to Solution.
03-26-2009 11:57 AM
You are applying acl 130 in the wrong direction.
inbound on an vlan interface is for traffic coming from hosts on that vlan
outbound on a vlan interface is for traffic going to hosts on that vlan
so you need to apply acl 130 inbound.
Jon
03-26-2009 01:58 PM
Can you post your updated config.
As for inbound/outbound think of it from the perspective of the vlan interface.
If a packet arrives inbound on the vlan interface then it has come from a client machine on that vlan. So when a client on that vlan transmits a packet destined for a machine on another vlan the client must send the packet to it's vlan interface ie. the packet arrives inbound on the vlan interface.
Outbound means any packet going to a client on that vlan. Again think of from the perspective of the vlan interface. If it needs to send a packet to client on it's own vlan it will send a packet out of it's interface.
Does this help ?
Jon
03-26-2009 11:57 AM
You are applying acl 130 in the wrong direction.
inbound on an vlan interface is for traffic coming from hosts on that vlan
outbound on a vlan interface is for traffic going to hosts on that vlan
so you need to apply acl 130 inbound.
Jon
03-26-2009 12:10 PM
Inbound on VLAN-3 ?
03-26-2009 12:12 PM
"Inbound on VLAN-3 ?"
Yes.
03-26-2009 12:36 PM
Ok, it is working, somewhat...
Sending a ping to .15 .16 or .17 works as expected. Sending a ping to a host that should not be allowed to communicate responds as follows:
#1 Ping from 10.10.30.4 to 10.10.20.9:
Reply from 10.10.20.9: bytes=32 time=3ms TTL=127
Reply from 10.10.30.1: Destination net unreachable
Reply from 10.10.20.9: bytes=32 time=3ms TTL=127
Reply from 10.10.30.1: Destination net unreachable
#2 Ping from 10.10.30.4 to 10.10.20.9:
Reply from 10.10.20.9: bytes=32 time=3ms TTL=127
Reply from 10.10.30.1: Destination net unreachable
Reply from 10.10.30.1: Destination net unreachable
Reply from 10.10.30.1: Destination net unreachable
#3 Ping from 10.10.30.4 to 10.10.20.9:
Request timed out.
Reply from 10.10.20.9: bytes=32 time=3ms TTL=127
Reply from 10.10.20.9: bytes=32 time=3ms TTL=127
Reply from 10.10.30.1: Destination net unreachable
Why the 3 different responses on 3 different pings. Shouldn't the communication be blocked at all times? Or did I ping too fast after issuing the command to the router?
Also can you explain the following a bit more:
"inbound on an vlan interface is for traffic coming from hosts on that vlan
outbound on a vlan interface is for traffic going to hosts on that vlan"
This was completely opposite from what I was thinking, and is a bit confusing.
03-26-2009 01:58 PM
Can you post your updated config.
As for inbound/outbound think of it from the perspective of the vlan interface.
If a packet arrives inbound on the vlan interface then it has come from a client machine on that vlan. So when a client on that vlan transmits a packet destined for a machine on another vlan the client must send the packet to it's vlan interface ie. the packet arrives inbound on the vlan interface.
Outbound means any packet going to a client on that vlan. Again think of from the perspective of the vlan interface. If it needs to send a packet to client on it's own vlan it will send a packet out of it's interface.
Does this help ?
Jon
03-26-2009 02:34 PM
Hey Jon,
How come he's got an inbound and outbound ACL per VLAN interface?
03-27-2009 05:51 AM
To accomplish what he wants all he needs is ACL 130 on the inbound direction .
nterface Vlan3
ip address 10.10.30.1 255.255.255.0
ip access-group 130 in
ip nat inside
ip virtual-reassembly
03-30-2009 09:23 AM
Thanks for the help Jon, and the explanation. I think I was just pinging the router too quickly (within 30 seconds) after I uploaded the config file. Everything seems to be working now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide