! interface Vlan110 description "Management LAN" ip address 220.127.116.11 255.255.255.0 ip access-group 110 in ip inspect standard out no autostate ! interface Vlan120 description "Server LAN" ip address 18.104.22.168 255.255.255.0 ip access-group 120 in ip inspect standard out no autostate
access-list 110 remark ---MANAGEMENT LAN---
access-list 110 permit ip 22.214.171.124 0.0.0.255 any access-list 110 permit udp any eq bootpc host 126.96.36.199 access-list 110 deny ip any any log access-list 120 remark ---SERVER LAN--- access-list 120 permit ip 188.8.131.52 0.0.0.255 any
access-list 120 permit ip 184.108.40.206 0.0.0.255 any access-list 120 permit udp any eq bootpc host 220.127.116.11 access-list 120 deny ip any any log
Currently, I have one host connected to fa0/1 and one to fa0/3. What I want is that the management network (18.104.22.168) is able to access the server network (22.214.171.124) but not backwards, so the server network can only access it's own network and the default gateway for internet.
With the ACL's as they are now, I can't send pings across both hosts, tho I configured an allow at ACL120 for the management network.
When I remove the ACL's from the VLAN interface, traffic is allowed, so that should be alright.
Furthermore, I added the udp rule to both ACL's because I was unable to receive an IP address for both hosts (I configured two DHCP pools on this same router for both VLAN's). That ACL rule works! It seems that the ACL is only working from the physical interface to the VLAN interface of the router (.1).
As far as I can see (I checked the config multiple times) there's nothing configured "wrong". Maybe I am just missing something or the way I configured this is not the way to add an ACL to VLAN's.
Hopefully someone can help me with this, I already started pulling hairs =X
Update: It seems that when I give in a subnet instead of a 'any' source/destination network or host, the rule isn't working correctly. I just tested this by allowing telnet from just one host, subnet or any. Only the any rule worked. In the host/subnet test I used the following rules:
Re: Active ACL on VLAN interface is not allowing traffic as it s
I think your acl 120 is wrong . To apply it in the "In" direction it has to be written as source which would be any to destination which would be the networks you want to go to . It appears to backwards . The "IN" direction on the vlan interface is traffic coming off that subnet towards the router or vlan interface , thus you would have "any" to "subnet" in the acls.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...