Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
329
Views
0
Helpful
3
Replies

acl on vlan - cant make it through outside network

Go to solution
radarbackwards
Level 1
Level 1

‎08-11-2013 10:41 PM - edited ‎03-07-2019 02:52 PM

I have 4 Vlans - VLAN 200, 250, 210 and 66

VLAN 66 is my gateway/default route, I configured an ACL on  VLAN 250, vlan like 210 are denied and VLAN 66 is allowed, it can ping VLAN 66 which is my default route, but not the outside network beyond vlan 66

when i checked the sho ip access-list , it went to the deny ip any any policy, I cant understand why i cant ping the outside network wherein there is an existing default route and it is allowed on the first place

Extended IP access list 101

    deny ip 192.168.250.0 0.0.0.255 192.168.210.0 0.0.0.255

    deny ip 192.168.250.0 0.0.0.255 192.168.91.0 0.0.0.255

    permit ip 192.168.250.0 0.0.0.255 192.168.66.252 0.0.0.3 (45 match(es))

    permit ip 192.168.250.0 0.0.0.255 192.168.200.0 0.0.0.255

    permit ip 192.168.250.0 0.0.0.255 192.168.250.0 0.0.0.255

   deny ip any any (55 match(es))

please see attached file

Labels:
15365619-pci segmentation.pkt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎08-12-2013 12:35 AM

Hi,

don't forget that routing doesn't modify the destination IP address so when the packet is forwarded to the default-gateway it still has the remote subnet destination IP and is matched by the implicit deny all at the end of the ACL.

Just add a permit ip 192.168.250.0 0.0.0.255 any at the end of the ACL and it will work as long as the most specific matches with the denies are first in your ACL.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎08-12-2013 12:35 AM

Hi,

don't forget that routing doesn't modify the destination IP address so when the packet is forwarded to the default-gateway it still has the remote subnet destination IP and is matched by the implicit deny all at the end of the ACL.

Just add a permit ip 192.168.250.0 0.0.0.255 any at the end of the ACL and it will work as long as the most specific matches with the denies are first in your ACL.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
radarbackwards
Level 1
Level 1
In response to cadet alain

‎08-12-2013 07:39 AM

hi alain,

192.168.250.0 0.0.0.255  is already permitted even before i posted this problem

access-list 101 remark VLAN_250

access-list 101 deny ip 192.168.250.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 101 deny ip 192.168.250.0 0.0.0.255 192.168.91.0 0.0.0.255

access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.66.252 0.0.0.3

access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.200.0 0.0.0.255

access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.250.0 0.0.0.255

access-list 101 deny ip any any

0 Helpful

Go to solution
mfurnival
Level 4
Level 4
In response to radarbackwards

‎08-12-2013 07:47 AM

No you have:

access-list 101 permit ip 192.168.250.0 0.0.0.255 192.168.250.0 0.0.0.255

Whereas Alain said:

access-list 101 permit ip 192.168.250.0 0.0.0.255 any

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card