Access lists not working ?

Unanswered Question
Jun 2nd, 2010

recently i helped one of my customer to migrate some LAN pts from nortel baystack to cisco 3750 switch.

previously, a nortel baystack was connected to the cisco 3750 through a trunk port, this nortel has only 1 LAN pt on one VLAN only.

the LAN pt was migrated to the cisco 3750, and I assigned the VLAN on the cisco 3750 for this particular port.

the cust found that it is not able to ping after the migration.

on this particular VLAN, there is one access-list implemented.

client -> nortel -> cisc0 3750 Gi1/0/6 -> router

old config

------------------------------

interface GigabitEthernet1/0/6

switchport trunk encapsulation dot1q
switchport mode trunk

interface Vlan6
description Swimming Pool Vlan
ip address 172.25.101.1 255.255.255.0
ip access-group spool in

ip access-list extended spool
permit ip host 172.25.101.110 host 172.22.102.102
deny   ip any any

client -> cisc0 3750 Gi1/0/6 -> router

new config

--------------------------------

interface GigabitEthernet1/0/6
description Swimming Pool Vlan
switchport access vlan 6
switchport mode access
spanning-tree portfast

interface Vlan6
  description Swimming Pool Vlan
  ip address 172.25.101.1 255.255.255.0
  ip access-group spool in

ip access-list extended spool
  permit ip host 172.25.101.110 host 172.22.102.102
  deny   ip any any

IP 172.25.101.110 is the client connected to GigabitEthernet1/0/6, while 172.22.102.102 is at HQ office.

now 172.25.101.110 cannot reach 172.22.102.102.

the only difference is that vlan 6 is not on the cisco 3750 instead of the nortel baystack.

is there anything wrong with the config ??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 06/02/2010 - 02:44

Hello Yeow,

you have changed the default gateway for the client

verify that:

the client is using 172.25.101.1 as its default gateway with ipconfig /all in the shell (if it is a windows os)

use arp -g to verify that MAC address associated to default gateway is the same as that of SVI Vlan6 on the C3750

SVI MAC address is reported in sh int vlan6 output

Hope to help

Giuseppe

Ganesh Hariharan Wed, 06/02/2010 - 09:41

recently i helped one of my customer to migrate some LAN pts from nortel baystack to cisco 3750 switch.

previously, a nortel baystack was connected to the cisco 3750 through a trunk port, this nortel has only 1 LAN pt on one VLAN only.

the LAN pt was migrated to the cisco 3750, and I assigned the VLAN on the cisco 3750 for this particular port.

the cust found that it is not able to ping after the migration.

on this particular VLAN, there is one access-list implemented.

client -> nortel -> cisc0 3750 Gi1/0/6 -> router

old config

------------------------------

interface GigabitEthernet1/0/6

switchport trunk encapsulation dot1q
switchport mode trunk

interface Vlan6
description Swimming Pool Vlan
ip address 172.25.101.1 255.255.255.0
ip access-group spool in

ip access-list extended spool
permit ip host 172.25.101.110 host 172.22.102.102
deny   ip any any

client -> cisc0 3750 Gi1/0/6 -> router

new config

--------------------------------

interface GigabitEthernet1/0/6
description Swimming Pool Vlan
switchport access vlan 6
switchport mode access

Hi,

It should work just check few things are you able to ping the default gateway that 3750 vlan interface ip address from client and from switch are you able to ping the destination server ip address 172.22.102.102 and finally as you have removed on device just clear arp from client pc and the try.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Actions

This Discussion