Reg: ACLs

Janardhan Meesala · ‎12-28-2011

HI Experts,

In my lab setup i configured Cisco 3560 switch.

VLAN 20 and VLAN 30 i configured.

VLAN 20 interface IP : 192.168.20.1/24

VLAN 30 interface IP : 192.168.30.1/24.

Inter-vlan communication is happening fine.

For testing for purpose i configured extended ACLs.

Here is my requirement:

i want stop communication from VLAN 30 to VLAN 20 but not vice-versa.

Here i configured like this:

access-list 111 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 111 permit ip any any

applied ACL in VLAN 30 interface 'in' direction.

ip access-group 111 in

In this scenario, communication is stopping in both directions.

If i ping from one of the IP VLAN 20 to one of the ip of VLAN 30, i was gettng Requested time out. And if i ping from one of the IP VLAN 20 to VLAN 30 interface IP, i was able get pinging.

From VLAN 30 to VLAN 20, i was getting destination host unreachable from VLAN 30 ip( Its fine as its my requirement)

So, solution needed to communicate from VLAN 20 to VLAN 30.

Regards,

Janardhan

Julio Carvajal · ‎12-28-2011

Hello,

What if you do a reflexive ACL on the .20 vlan.

ip access-list extended test

permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255 reflect test-123

ip access-list extended inbound-packets

evaluate test-123

interface fastethernet 0/1.20

ip access-group test out

ip access-group inbound-packets in

Please let me know the result of this.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC