Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
2
Replies

ACLs not working

Go to solution
anirudh.wna
Level 1
Level 1

‎10-09-2013 10:29 AM - last edited on ‎03-25-2019 04:26 PM by Community Manager

hi,

    i have currently been told to test a network layout. i have configured

5 vlans - vlan2,vlan3,vlan4,vlan5,vlan6 on a 3750 L3 switch. this is connected to three L2 switches in which the same vlans are created. enabled ip routing and now trying to configure access lists. but this is driving me crazy!!

int vlan2

ip address 172.16.0.0 255.255.255.128

int vlan3

ip  address 172.16.0.128 255.255.255.128

int vlan 4

ip address 172.16.1.0 255.255.255.128

int vlan 5

ip address 172.16.1.128 255.255.255.128

int vlan 6

ip address 172.16.2.0 255.255.255.128

REQUIREMENT:

vlan 2 and vlan3 needs full access to vlan4

vlan5 needs access to only one ip in vlan4

vlan 6 does not need access to any other vlan.

what i have done so far with access control;

I

ip access-list standard vlan6

deny any

int vlan 6

ip access-group vlan6 in

ip access-group vlan6 out    ## here no issues because there is no inter vlan access required.

II

ip access-list standard vlan4

permit 172.16.0.0  0.0.0.127

permit 172.16.0.128  0.0.0.127

int vlan 4

ip access-group vlan4   ## this never woked.. also tried with an extended  list allowing the whole vlans2 and 3 subnets to vlan4 and then

                                      ##    applying it to int vlan 4. that also never works.

III

ip access-list standard  vlan5

permit host 172.16.1.10

int vlan 5

ip access-group vlan5 out    ## this also never works.

please let me know where am i going wrong??

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎10-09-2013 11:04 AM

Hi,

access-list 100 permit ip any 172.16.1.0 0.0.0.127

access-list 100 deny ip any any

access-list 101 permit ip any host 172.16.1.x

access-list 101 deny ip any any

int vlan2

ip access-group 100 in

int vlan3

ip access-group 100 in

int vlan5

ip access-group 101 in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎10-09-2013 11:04 AM

Hi,

access-list 100 permit ip any 172.16.1.0 0.0.0.127

access-list 100 deny ip any any

access-list 101 permit ip any host 172.16.1.x

access-list 101 deny ip any any

int vlan2

ip access-group 100 in

int vlan3

ip access-group 100 in

int vlan5

ip access-group 101 in

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
anirudh.wna
Level 1
Level 1
In response to cadet alain

‎10-09-2013 11:45 AM

hi  alain,

                thanks a lot. you are amazing!! it worked like a charm and relieved my stress.  can you plz also explain how it works.

because  when you say 

access-list 100 permit ip any 172.16.1.0 0.0.0.127

access-list 100 deny ip any any

the source is any and destination is 172.16.1.0.0. why it did not work with 

ip access-list standard vlan4

permit 172.16.0.0  0.0.0.127

permit 172.16.0.128  0.0.0.127

sorry if  i am being too silly but the point is i want to get it in my head somehow and make my job simple.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card