however, PC's on vlan 2 (192.168.2.x) can ping everything the acl does not seem to be working
When i make the change to: access-group 101 in
everything works as expected. The customer has requested all traffic be filtered on outbound traffic. However I cant get acls to work outbound on the interfaces from devices within that interface. Am I missing soemthing obvious?
will never be a match condition for this, because the ip packet which comes out to vlan 2 will have destination address 192.168.2.0, not source address 192.168.2.0
if the acl dont match in this statement, acl will go trough the next line, which is access-list 101 deny any any
basically this line is not useful, because in acl, if there is no match condition the packet will be denied by default (you can imagine that at the end line of the acl statement, there lies implicit deny any any)
so what you can do is, block the ip traffic which is coming from other vlan which the destination is vlan two,
for example you have vlan 3,
so you can create
access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 permit ip any any
and then go to interface vlan 3
access-group 103 out
this step is the same if you have the other vlan.
the other way that you can do, is by changing your acl 101,
access-list 101 deny ip x.x.x.x y.y.y.y (the other vlan you put it here) 192.168.2.0 0.0.0.255
and the last line, dont forget to put permit ip any any
continue this command for every vlan you want to filter.
I sympathesize with your confusion. I find it useful to think about it in this way: the in and out of access list assignment are from the perspective of the router (or layer 3 switch). Outbound is from the router out to the devices connected on that interface. Inbound is incoming from the devices on the subnet into the interface. And it is also helpful to be clear that in extended access lists the first address and mask are the source and the second address and mask are the destination.
So in your particular situation if you build an access list to apply on interface VLAN 2 and VLAN 2 addresses are in the source address field then the access list must be applied inbound.
It may also be helpful to consider the perspective of various parties in this. Your customer may say that he wants outbound filtering (from the perspective of the end stations who are sending the traffic outbound). But from the perspective of the router that may be accomplished with an inbound filter.
One other point: your post says that when access list 101 was applied out it allowed PCs to ping anywhere. I find that surprising because with the access list applied out nothing would have matched the first line with a permit and everything would have matched the second line which denies everything. I would not think that any traffic would get through.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...