Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

acl directions

Hello All,

I am confused on how acl's respond on normal cisco switch (eg.6500) when applied on respective vlans. this is my scenario:

on a 6506, i have 2 main vlans in question: Vlan 100 ( vendor1 - 172.16.100.0/24 ) & Vlan 200 ( vendor2 - 172.16.200.0/24 ). the requirement is,

- vendor1 should be able to access/ping vendor2 end points

- vendor2 should not be able to access/ping vendor1 end points

( the other vlans 120,130,140 also exist but they are not supposed to be accessed by vlan 100 or vlan 200)

below is my acl on vlan100 applied inbound direction.

line 1 access-list 120 exten deny ip 172.16.100.0 0.0.0.255 ip 172.16.120.0 0.0.0.255

line 2 access-list 120 exten deny ip 172.16.100.0 0.0.0.255 ip 172.16.130.0 0.0.0.255

line 3 access-list 120 exten deny ip 172.16.100.0 0.0.0.255 ip 172.16.140.0 0.0.0.255

line 4 access-list 120 permit ip any any

acl on vlan200 applied in inbound direction.

line 1 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.100.0 0.0.0.255

line 2 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.130.0 0.0.0.255

line 3 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.140.0 0.0.0.255

line 4 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.120.0 0.0.0.255

line 5 access-list 115 permit ip any any

Now, if i ping from a host 172.16.100.11 in vlan 100 to another host 172.16.200.21 in vlan 200, will i be able to get a successful response ?

thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

acl directions

Hi,

Nope, as echo-reply will also get blocked.

Regards,

Smitesh

4 REPLIES

acl directions

Hi,

Nope, as echo-reply will also get blocked.

Regards,

Smitesh

New Member

acl directions

thanks Smitesh,

will it be blocked because of this :

line 1 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.100.0 0.0.0.255 line on vlan 200 on the return path?

if so, that means the acl's on switches are not stateful like on firewalls.

and in this case how do we ensure that vlan 100 can get atleast a ping response back from vlan 200 but still vlan 200 shouldnt be able to access anything else on vlan 100.

Krishnendu, thanks but the acl below permits vlan 200.

acl directions

Hello,

    First off,ACL is stateless. You need to be careful when configuring this.

line 1 access-list 115 exten permit icmp 172.16.200.0 0.0.0.255 ip 172.16.100.0 0.0.0.255

line 2 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.100.0 0.0.0.255

line 3 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.130.0 0.0.0.255

line 4 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.140.0 0.0.0.255

line 5 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.120.0 0.0.0.255

line 6 access-list 115 permit ip any any

VLAN 100 cannot also access VLAN 200 but icmp

HTH,

Toshi

New Member

acl directions

VLAN100

line 1 access-list 120 exten deny ip 172.16.100.0 0.0.0.255 ip 172.16.120.0 0.0.0.255

------------------------------------------------------------------------------------------------

Pinging-->172.16.100.11 --> 172.16.200.21

This is will match the inbound access-list at interface vlan 100. So the packet will be denied.

420
Views
5
Helpful
4
Replies
CreatePlease to create content