11-20-2009 01:14 PM - edited 03-06-2019 08:40 AM
I'm playing around with vlan ACLs on a 3550. Here is a snippet of my config:
vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11
ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www
Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10. I can ping between 192.168.2.4 and 10.1.3.101. However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout. Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?
Thanks in advance.
Solved! Go to Solution.
11-20-2009 01:25 PM
iancarder wrote:
I'm playing around with vlan ACLs on a 3550. Here is a snippet of my config:
vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq wwwHost A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10. I can ping between 192.168.2.4 and 10.1.3.101. However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout. Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?
Thanks in advance.
I don't have a 3550 to hand to test with so i may be wrong but vlan maps do not have a direction. So your traffic going from Host A to the web server is allowed because of the "permit tcp any any eq www" line in our acl. But the return traffic will be dropped because there is no matching line. Try adding this to the acl
permit tcp any eq 80 any
Jon
11-20-2009 01:25 PM
iancarder wrote:
I'm playing around with vlan ACLs on a 3550. Here is a snippet of my config:
vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq wwwHost A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10. I can ping between 192.168.2.4 and 10.1.3.101. However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout. Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?
Thanks in advance.
I don't have a 3550 to hand to test with so i may be wrong but vlan maps do not have a direction. So your traffic going from Host A to the web server is allowed because of the "permit tcp any any eq www" line in our acl. But the return traffic will be dropped because there is no matching line. Try adding this to the acl
permit tcp any eq 80 any
Jon
11-20-2009 01:40 PM
Jon,
Thanks! That did the trick. For some reason I thought the eq statement always went on the end of the statement rather than after the host/network/any.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide