Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
4
Replies

Extended ACL's help ---urgent

ilnaiduccna
Level 1
Level 1

‎06-24-2009 10:37 PM - edited ‎03-06-2019 06:26 AM

i have created one vlan500 (GW 10.13.109.1) and it is in active.

i defined one accesslist group like below....

ip access-list extended GUEST_ACCESS

deny ip 10.12.0.0 0.0.255.255 any

deny ip 10.146.0.0 0.0.255.255 any

deny ip 10.15.0.0 0.0.255.255 any

deny ip 10.24.0.0 0.0.255.255 any

deny ip 10.10.0.0 0.0.255.255 any

deny ip 10.18.0.0 0.0.7.255 any

deny ip 10.17.0.0 0.0.15.255 any

deny ip 10.16.0.0 0.0.0.255 any

i applied the above accessgroup for vlan500 but still i am able to ping from this vlan to above denied networks (i am trying extended ping)

This is strange for me, Experts can anybody help me please....

Regards,

Naidu.

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎06-24-2009 10:55 PM

Hello Naidu,

in what direction have you applied this ACL?

inbound

ip access-group GUEST_ACCESS in

or outbound

ip access-group GUEST_ACCESS out

this could explain what you see.

if the ACL is applied outbound means towards core not towards users in vlan, and those source ip subnets don't appear as source but as destinations

Hope to help

Giuseppe

0 Helpful

ilnaiduccna
Level 1
Level 1
In response to Giuseppe Larosa

‎06-24-2009 11:01 PM

Hi Giuseppe,

Thanks for your quick response.

I tried both ways in & out but still not working and this is what seems strange for me.

Regards,

Naidu.

0 Helpful

Istvan_Rabai
Level 7
Level 7
In response to ilnaiduccna

‎06-24-2009 11:09 PM

Hi Naidu,

Tha ACL that you applied to the vlan interface is effective only for traffic traversing the switch or router.

Traffic generated by the switch is not affected by this ACL, when the ACL is applied outbound.

So if you originate pings from the same switch where you applied the ACL to the vlan interface, the pings are generated by the switch itself.

So the ACL will not filter that traffic.

Try generating pings (traffic) on a different device so the traffic traverses this switch but not originated on this switch.

Cheers:

Istvan

0 Helpful

davy.timmermans
Level 4
Level 4
In response to ilnaiduccna

‎06-24-2009 11:09 PM

Hi Naidu,

Did you tried to ping from your pc when connected to vlan 500 instead of from the switch. I suppose you ping from the switch via source interface?

Did you test with reversing destination and source in your acl?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card