Probably an easy fix but something's weird in my config.
I am setting up a new network, so this is not production yet. Here's the general idea.
Routed environment, down to the access layer using 3560-x l3 switches.
vlan 10: data
vlan 20: wifi
vlan 30: wifi guests
vlan 40: voip
My objective is to allow all traffic OUTBOUND to certain subnets (10.10.0.0/24, 10.10.100.0/24, 10.10.110.0/24 10.10.120.0/24) and block any other 10.0.0.0/8 networks. By doing it this way, after blocking all other internal traffic, I allow everything else to ensure internet traffic can go out.
Extended IP access list VLAN10_TRAFFIC_FLOW
10 permit ip any 10.10.0.0 0.0.0.255
20 permit ip any 10.10.100.0 0.0.0.255
30 permit ip any 10.10.110.0 0.0.0.255
40 permit ip any 10.10.120.0 0.0.0.255
50 deny ip any 10.0.0.0 0.255.255.255 (5 matches)
60 deny ip any 172.16.0.0 0.0.255.255
70 permit ip any any
ip address 10.104.10.1 255.255.255.0
ip access-group VLAN10_TRAFFIC_FLOW out
The problem is, from the above info, when I ping 10.10.0.5 from a workstation in VLAN 10, it should match rule 10, but instead if matches rule 50 (as shown by the 5 matches)
Makes no sense to me as the logic, addressing and wildcard masks seem ok. What am I doing wrong?
The flow direction on a Vlan is as followed:
If you have an ACL in the 'in' direction it will match 10.104.10.x/24 as the source
If you have an ACL in the 'out' direction it will match 10.104.10.x/24 as the destination
In your case, you are matching on the return traffic 10.0.0.0/8, thus your are seeing the expected result.