Solved: acl directions

suthomas1 · ‎11-22-2011

Hello All,

I am confused on how acl's respond on normal cisco switch (eg.6500) when applied on respective vlans. this is my scenario:

on a 6506, i have 2 main vlans in question: Vlan 100 ( vendor1 - 172.16.100.0/24 ) & Vlan 200 ( vendor2 - 172.16.200.0/24 ). the requirement is,

- vendor1 should be able to access/ping vendor2 end points

- vendor2 should not be able to access/ping vendor1 end points

( the other vlans 120,130,140 also exist but they are not supposed to be accessed by vlan 100 or vlan 200)

below is my acl on vlan100 applied inbound direction.

line 1 access-list 120 exten deny ip 172.16.100.0 0.0.0.255 ip 172.16.120.0 0.0.0.255

line 2 access-list 120 exten deny ip 172.16.100.0 0.0.0.255 ip 172.16.130.0 0.0.0.255

line 3 access-list 120 exten deny ip 172.16.100.0 0.0.0.255 ip 172.16.140.0 0.0.0.255

line 4 access-list 120 permit ip any any

acl on vlan200 applied in inbound direction.

line 1 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.100.0 0.0.0.255

line 2 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.130.0 0.0.0.255

line 3 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.140.0 0.0.0.255

line 4 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.120.0 0.0.0.255

line 5 access-list 115 permit ip any any

Now, if i ping from a host 172.16.100.11 in vlan 100 to another host 172.16.200.21 in vlan 200, will i be able to get a successful response ?

thanks in advance.

smitesh kharecha · ‎11-22-2011

Hi,

Nope, as echo-reply will also get blocked.

Regards,

Smitesh

View solution in original post

smitesh kharecha · ‎11-22-2011

Hi,

Nope, as echo-reply will also get blocked.

Regards,

Smitesh

suthomas1 · ‎11-22-2011

thanks Smitesh,

will it be blocked because of this :

line 1 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.100.0 0.0.0.255 line on vlan 200 on the return path?

if so, that means the acl's on switches are not stateful like on firewalls.

and in this case how do we ensure that vlan 100 can get atleast a ping response back from vlan 200 but still vlan 200 shouldnt be able to access anything else on vlan 100.

Krishnendu, thanks but the acl below permits vlan 200.

Thotsaphon Lueangwattanaphong · ‎11-22-2011

Hello,

First off,ACL is stateless. You need to be careful when configuring this.

line 1 access-list 115 exten permit icmp 172.16.200.0 0.0.0.255 ip 172.16.100.0 0.0.0.255

line 2 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.100.0 0.0.0.255

line 3 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.130.0 0.0.0.255

line 4 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.140.0 0.0.0.255

line 5 access-list 115 exten deny ip 172.16.200.0 0.0.0.255 ip 172.16.120.0 0.0.0.255

line 6 access-list 115 permit ip any any

VLAN 100 cannot also access VLAN 200 but icmp

HTH,

Toshi

Krishnendu AR · ‎11-22-2011

VLAN100

line 1 access-list 120 exten deny ip 172.16.100.0 0.0.0.255 ip 172.16.120.0 0.0.0.255

------------------------------------------------------------------------------------------------

Pinging-->172.16.100.11 --> 172.16.200.21

This is will match the inbound access-list at interface vlan 100. So the packet will be denied.