Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL Config on a catalyst 3550

I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:

vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11

ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www

Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL Config on a catalyst 3550

iancarder wrote:

I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:

vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11

ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www

Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?

Thanks in advance.

I don't have a 3550 to hand to test with so i may be wrong but vlan maps do not have a direction. So your traffic going from Host A to the web server is allowed because of the "permit tcp any any eq www" line in our acl. But the return traffic will be dropped because there is no matching line. Try adding this to the acl

permit tcp any eq 80 any

Jon

2 REPLIES
Hall of Fame Super Blue

Re: ACL Config on a catalyst 3550

iancarder wrote:

I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:

vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11

ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www

Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?

Thanks in advance.

I don't have a 3550 to hand to test with so i may be wrong but vlan maps do not have a direction. So your traffic going from Host A to the web server is allowed because of the "permit tcp any any eq www" line in our acl. But the return traffic will be dropped because there is no matching line. Try adding this to the acl

permit tcp any eq 80 any

Jon

New Member

Re: ACL Config on a catalyst 3550

Jon,

Thanks!  That did the trick.  For some reason I thought the eq statement always went on the end of the statement rather than after the host/network/any.

630
Views
0
Helpful
2
Replies