Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
843
Views
0
Helpful
3
Replies

Simple ACL Not Working

Go to solution
cfrasnelly
Level 1
Level 1

‎06-12-2012 04:38 PM

Hi there,

I have what I thought would be a simple ACL.  See the attached overview.  I have applied an ACL to a port connected to a Dell switch.  All the machines on this Dell switch live on the 172.10.x.x network.  I have a single server (on another subnet) hanging off the Cisco switch that I want to allow traffic to as well as a couple of machines hanging off the Cisco that belong to the 172.10.x.x network that need to communicate over to the Dell switch.  Here was my thought process:

1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)

2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100  – Ingress

3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress

4 – Apply to port connecting Cisco switch to Dell switch

When I apply the ACL I am unable to ping 172.10.0.50 from 172.20.100.100 - what am I missing?!?!?!

Thanks!

Labels:
Preview file
57 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Hornstein
Level 7
Level 7

‎06-20-2012 07:08 AM

The subnet masks in your PDF look wierd, the switch is using reverse masking so the address and mask would be,

1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)

but the switch looks at ingress not egress.

2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100  – Ingress

172.10.0.0  mask= 0.0.255.255  to 172.20.100.100  mask=0.0.0.0

3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress

172.20.100.100  mask=0.0.0.0  to 172.10.0.0  mask=0.0.255.255

 

there are plenty examples of access-list for 300 series switches within this community, try a search and see what you get for more examples.

regards Dave    

View solution in original post

0 Helpful
3 Replies 3

Go to solution
David Hornstein
Level 7
Level 7

‎06-20-2012 07:08 AM

The subnet masks in your PDF look wierd, the switch is using reverse masking so the address and mask would be,

1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)

but the switch looks at ingress not egress.

2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100  – Ingress

172.10.0.0  mask= 0.0.255.255  to 172.20.100.100  mask=0.0.0.0

3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress

172.20.100.100  mask=0.0.0.0  to 172.10.0.0  mask=0.0.255.255

 

there are plenty examples of access-list for 300 series switches within this community, try a search and see what you get for more examples.

regards Dave    

0 Helpful

Go to solution
cfrasnelly
Level 1
Level 1

‎06-21-2012 10:05 AM

Sometimes I take things a bit to literally... thanks David.

0 Helpful

Go to solution
David Hornstein
Level 7
Level 7
In response to cfrasnelly

‎06-21-2012 10:13 AM

Hi

Sometimes i wish we didn't use inverse masking on ACL.  But I am glad you are up and running.

regards Dave

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents