cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
600
Views
0
Helpful
6
Replies

ACL Issue in Catalyst

JPavonM
VIP
VIP

Even in Catalyst 3750 and 4500 with ip services IOS, when I apply an ingress extended ACL in an VLAN interface to deny some kinf of traffic (ICMP), this traffic only match de permit ip any any sentence. Is there any limitation with ACL traffic restriction in such models?

This is the configuration:

....

!

interface Vlan10

ip address x.y.z.1 255.255.255.0

no ip redirects

no ip unreachables

ip access-group 101 in

!

ip access-list extended 101

deny icmp any x.any

permit ip any any

!

6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

Hi,

which type of icmp is entering this Vlan that doesn't get a hit ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thank you Alain for your answer.

The type of ICMP is ping, we want to disable ping  from a specific IP in that VLAN

SW#sh access-l

Extended IP access list 101

    10 deny icmp any host x.y.z.1 echo-reply

    20 deny icmp any host x.y.z.1 echo

    30 permit ip any any (59 matches)

Hi,

The destination IP must be in another VLAN, is it in the VLAN where you apply the ACL ? in which case do you want to prevent pings within that VLAN or to another VLAN ?

in first case then use a VACL or an ingress PACL and in second case use a RACL like you did but put the host IP as source instead of destination.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thank you again Alain, but still not working.

I know about VACL and PACLs but ithis case is a RACL. The problem is ping's are still working between both VLANs.

VLAN 10 is the destination (a.b.c.0/24)

VLAN 28 is the source (x.y.z.0/24)

I have modified the ACL so I can apply it to any VLAN interface:

!

ip access-list extended ping

deny   icmp a.b.c.0 0.0.0.255 x.y.z.0 0.0.0.255

deny   icmp x.y.z.0 0.0.0.255 a.b.c.0 0.0.0.255

permit ip any any

And then I have applied it to both ways (ingress and egress) in every VLAN interface this way:

!

interface Vlan10

ip address a.b.c.3 255.255.255.0

ip access-group ping in

ip access-group ping out

!

interface Vlan28

ip address x.y.z.3 255.255.255.0

ip access-group ping in

ip access-group ping out

Anyway, no ICMP is filter out when I ping from a host in VLAN 28 to a host in VLAN 10:

Extended IP access list ping

    1 deny icmp 172.31.10.0 0.0.0.255 192.168.128.0 0.0.0.255

    2 deny icmp 192.168.128.0 0.0.0.255 172.31.10.0 0.0.0.255

    20 permit ip any any (1129 matches)

Hi Jesus,

your configuration looks good, can you please confirm that access list is applied on the switch where intervlan routing is happening for these VLANs right ?

Manish

Problem solved, it seems that the routing of the customer was through a firewall, not in the catalyst itself.

Kind regards to all of youo for your help.

Jesus

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: