×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Simple ACL Not Working

Answered Question
Jun 12th, 2012
User Badges:

Hi there,


I have what I thought would be a simple ACL.  See the attached overview.  I have applied an ACL to a port connected to a Dell switch.  All the machines on this Dell switch live on the 172.10.x.x network.  I have a single server (on another subnet) hanging off the Cisco switch that I want to allow traffic to as well as a couple of machines hanging off the Cisco that belong to the 172.10.x.x network that need to communicate over to the Dell switch.  Here was my thought process:


1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)


2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100  – Ingress


3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress


4 – Apply to port connecting Cisco switch to Dell switch


When I apply the ACL I am unable to ping 172.10.0.50 from 172.20.100.100 - what am I missing?!?!?!


Thanks!

Attachment: 
Correct Answer by David Hornstein about 5 years 1 month ago

The subnet masks in your PDF look wierd, the switch is using reverse masking so the address and mask would be,


1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)


but the switch looks at ingress not egress.


2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100  – Ingress

172.10.0.0  mask= 0.0.255.255  to 172.20.100.100  mask=0.0.0.0


3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress

172.20.100.100  mask=0.0.0.0  to 172.10.0.0  mask=0.0.255.255


 

there are plenty examples of access-list for 300 series switches within this community, try a search and see what you get for more examples.


regards Dave    

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
David Hornstein Wed, 06/20/2012 - 07:08
User Badges:
  • Gold, 750 points or more

The subnet masks in your PDF look wierd, the switch is using reverse masking so the address and mask would be,


1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)


but the switch looks at ingress not egress.


2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100  – Ingress

172.10.0.0  mask= 0.0.255.255  to 172.20.100.100  mask=0.0.0.0


3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress

172.20.100.100  mask=0.0.0.0  to 172.10.0.0  mask=0.0.255.255


 

there are plenty examples of access-list for 300 series switches within this community, try a search and see what you get for more examples.


regards Dave    

cfrasnelly Thu, 06/21/2012 - 10:05
User Badges:

Sometimes I take things a bit to literally... thanks David.

David Hornstein Thu, 06/21/2012 - 10:13
User Badges:
  • Gold, 750 points or more

Hi


Sometimes i wish we didn't use inverse masking on ACL.  But I am glad you are up and running.


regards Dave

Actions

This Discussion