07-09-2013 08:45 AM - edited 03-07-2019 02:18 PM
Hello sirs, I have 2 vlan on my uc560, vlan 100 for voice and vlan 90 for data, The both vlan cant comuunicate but with custom ACL this is inplicit but dont work.
I will show my shrun, please help me
interface Vlan1
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
interface Vlan100
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_6##
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.9.0 0.0.0.255 any
access-list 101 deny ip 10.1.10.0 0.0.0.3 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration##NO_ACES_8##
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 102 deny ip 192.168.9.0 0.0.0.255 any
access-list 102 deny ip 192.168.10.0 0.0.0.255 any
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
So based on acl 102, the line "access-list 102 deny ip 192.168.10.0 0.0.0.255 any" block access of the vlan ip one on vlan 100, but I contnues access the ip 10.1.1.1.
What wrong ? :S
Thanks a lot to all!
Solved! Go to Solution.
07-09-2013 08:55 AM
Try this:
To block From Vlan 1 to Vlan 100
access-list 101 deny ip 192.168.10.0 0.0.0.255 10.1.1.0 0.0.0.255
To block from Vlan 100 to Vlan 1
access-list 102 deny ip 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255
The 'in' on a SVI (Vlan Interface) is blocking packets entering the Vlan.
In the case of Vlan 1, packets entering the Vlan are in the 192.168.10.0/24 subnet.
In the case of Vlan 100, packets entering the Vlan are in the 10.1.1.0/24 subnet.
Need to make sure you match the source and destination subnets when applying ACLs.
07-09-2013 08:55 AM
Try this:
To block From Vlan 1 to Vlan 100
access-list 101 deny ip 192.168.10.0 0.0.0.255 10.1.1.0 0.0.0.255
To block from Vlan 100 to Vlan 1
access-list 102 deny ip 10.1.1.0 0.0.0.255 192.168.10.0 0.0.0.255
The 'in' on a SVI (Vlan Interface) is blocking packets entering the Vlan.
In the case of Vlan 1, packets entering the Vlan are in the 192.168.10.0/24 subnet.
In the case of Vlan 100, packets entering the Vlan are in the 10.1.1.0/24 subnet.
Need to make sure you match the source and destination subnets when applying ACLs.
07-09-2013 11:56 AM
omg, thanks a lot man, i mistake the conf's. Thanks, very very thanks dude! Have nice day
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide