Access lists not working ?

Unanswered Question
Jun 2nd, 2010
User Badges:

recently i helped one of my customer to migrate some LAN pts from nortel baystack to cisco 3750 switch.

previously, a nortel baystack was connected to the cisco 3750 through a trunk port, this nortel has only 1 LAN pt on one VLAN only.

the LAN pt was migrated to the cisco 3750, and I assigned the VLAN on the cisco 3750 for this particular port.

the cust found that it is not able to ping after the migration.

on this particular VLAN, there is one access-list implemented.


client -> nortel -> cisc0 3750 Gi1/0/6 -> router


old config

------------------------------

interface GigabitEthernet1/0/6

switchport trunk encapsulation dot1q
switchport mode trunk


interface Vlan6
description Swimming Pool Vlan
ip address 172.25.101.1 255.255.255.0
ip access-group spool in


ip access-list extended spool
permit ip host 172.25.101.110 host 172.22.102.102
deny   ip any any



client -> cisc0 3750 Gi1/0/6 -> router


new config

--------------------------------

interface GigabitEthernet1/0/6
description Swimming Pool Vlan
switchport access vlan 6
switchport mode access
spanning-tree portfast


interface Vlan6
  description Swimming Pool Vlan
  ip address 172.25.101.1 255.255.255.0
  ip access-group spool in


ip access-list extended spool
  permit ip host 172.25.101.110 host 172.22.102.102
  deny   ip any any



IP 172.25.101.110 is the client connected to GigabitEthernet1/0/6, while 172.22.102.102 is at HQ office.

now 172.25.101.110 cannot reach 172.22.102.102.

the only difference is that vlan 6 is not on the cisco 3750 instead of the nortel baystack.

is there anything wrong with the config ??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 06/02/2010 - 02:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Yeow,

you have changed the default gateway for the client


verify that:

the client is using 172.25.101.1 as its default gateway with ipconfig /all in the shell (if it is a windows os)


use arp -g to verify that MAC address associated to default gateway is the same as that of SVI Vlan6 on the C3750


SVI MAC address is reported in sh int vlan6 output



Hope to help

Giuseppe

Ganesh Hariharan Wed, 06/02/2010 - 09:41
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016


recently i helped one of my customer to migrate some LAN pts from nortel baystack to cisco 3750 switch.

previously, a nortel baystack was connected to the cisco 3750 through a trunk port, this nortel has only 1 LAN pt on one VLAN only.

the LAN pt was migrated to the cisco 3750, and I assigned the VLAN on the cisco 3750 for this particular port.

the cust found that it is not able to ping after the migration.

on this particular VLAN, there is one access-list implemented.


client -> nortel -> cisc0 3750 Gi1/0/6 -> router


old config

------------------------------

interface GigabitEthernet1/0/6

switchport trunk encapsulation dot1q
switchport mode trunk


interface Vlan6
description Swimming Pool Vlan
ip address 172.25.101.1 255.255.255.0
ip access-group spool in


ip access-list extended spool
permit ip host 172.25.101.110 host 172.22.102.102
deny   ip any any



client -> cisc0 3750 Gi1/0/6 -> router


new config

--------------------------------

interface GigabitEthernet1/0/6
description Swimming Pool Vlan
switchport access vlan 6
switchport mode access

Hi,


It should work just check few things are you able to ping the default gateway that 3750 vlan interface ip address from client and from switch are you able to ping the destination server ip address 172.22.102.102 and finally as you have removed on device just clear arp from client pc and the try.


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

Actions

This Discussion