06-12-2012 04:38 PM
Hi there,
I have what I thought would be a simple ACL. See the attached overview. I have applied an ACL to a port connected to a Dell switch. All the machines on this Dell switch live on the 172.10.x.x network. I have a single server (on another subnet) hanging off the Cisco switch that I want to allow traffic to as well as a couple of machines hanging off the Cisco that belong to the 172.10.x.x network that need to communicate over to the Dell switch. Here was my thought process:
1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)
2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100 – Ingress
3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress
4 – Apply to port connecting Cisco switch to Dell switch
When I apply the ACL I am unable to ping 172.10.0.50 from 172.20.100.100 - what am I missing?!?!?!
Thanks!
Solved! Go to Solution.
06-20-2012 07:08 AM
The subnet masks in your PDF look wierd, the switch is using reverse masking so the address and mask would be,
1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)
but the switch looks at ingress not egress.
2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100 – Ingress
172.10.0.0 mask= 0.0.255.255 to 172.20.100.100 mask=0.0.0.0
3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress
172.20.100.100 mask=0.0.0.0 to 172.10.0.0 mask=0.0.255.255
there are plenty examples of access-list for 300 series switches within this community, try a search and see what you get for more examples.
regards Dave
06-20-2012 07:08 AM
The subnet masks in your PDF look wierd, the switch is using reverse masking so the address and mask would be,
1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)
but the switch looks at ingress not egress.
2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100 – Ingress
172.10.0.0 mask= 0.0.255.255 to 172.20.100.100 mask=0.0.0.0
3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress
172.20.100.100 mask=0.0.0.0 to 172.10.0.0 mask=0.0.255.255
there are plenty examples of access-list for 300 series switches within this community, try a search and see what you get for more examples.
regards Dave
06-21-2012 10:05 AM
Sometimes I take things a bit to literally... thanks David.
06-21-2012 10:13 AM
Hi
Sometimes i wish we didn't use inverse masking on ACL. But I am glad you are up and running.
regards Dave
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: