Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Extended ACL's help ---urgent

i have created one vlan500 (GW 10.13.109.1) and it is in active.

i defined one accesslist group like below....

ip access-list extended GUEST_ACCESS

deny ip 10.12.0.0 0.0.255.255 any

deny ip 10.146.0.0 0.0.255.255 any

deny ip 10.15.0.0 0.0.255.255 any

deny ip 10.24.0.0 0.0.255.255 any

deny ip 10.10.0.0 0.0.255.255 any

deny ip 10.18.0.0 0.0.7.255 any

deny ip 10.17.0.0 0.0.15.255 any

deny ip 10.16.0.0 0.0.0.255 any

i applied the above accessgroup for vlan500 but still i am able to ping from this vlan to above denied networks (i am trying extended ping)

This is strange for me, Experts can anybody help me please....

Regards,

Naidu.

4 REPLIES
Hall of Fame Super Silver

Re: Extended ACL's help ---urgent

Hello Naidu,

in what direction have you applied this ACL?

inbound

ip access-group GUEST_ACCESS in

or outbound

ip access-group GUEST_ACCESS out

this could explain what you see.

if the ACL is applied outbound means towards core not towards users in vlan, and those source ip subnets don't appear as source but as destinations

Hope to help

Giuseppe

Community Member

Re: Extended ACL's help ---urgent

Hi Giuseppe,

Thanks for your quick response.

I tried both ways in & out but still not working and this is what seems strange for me.

Regards,

Naidu.

Re: Extended ACL's help ---urgent

Hi Naidu,

Tha ACL that you applied to the vlan interface is effective only for traffic traversing the switch or router.

Traffic generated by the switch is not affected by this ACL, when the ACL is applied outbound.

So if you originate pings from the same switch where you applied the ACL to the vlan interface, the pings are generated by the switch itself.

So the ACL will not filter that traffic.

Try generating pings (traffic) on a different device so the traffic traverses this switch but not originated on this switch.

Cheers:

Istvan

Re: Extended ACL's help ---urgent

Hi Naidu,

Did you tried to ping from your pc when connected to vlan 500 instead of from the switch. I suppose you ping from the switch via source interface?

Did you test with reversing destination and source in your acl?

101
Views
0
Helpful
4
Replies
CreatePlease to create content