Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricting traffic between VLANs...

Hi all;

Suppose I have the two following subnets:

Subnet A: 172.16.10.0/24

Subnet B: 172.16.20.0/24

Now I create the following access list:

IP Access-List Standard 10

deny 172.16.10.0  0.0.0.255

permit any

Now I applies the above ACL in VLAN 20 as follows:

ip access-group 10 in

But when I ping a system in VLAN 20 from VLAN 10, the ping operation is succesful!!!

Now I alter the the ACL as follows:

deny 172.16.10.0  0.0.255.255

permit any

In this case, when I apply the ACL on VLAN 20, the traffic between VLAN 10 and VLAN 20 is restricted...

Can any one explain this behavior?

Thanks

3 REPLIES
Purple

Restricting traffic between VLANs...

Hi,

You are using  a standard ACL which only matches on source IP.

in first ACL you deny 172.16.10.x as source IPs but there never will be packets with these IPs as source that will enter VLAN 20 so the second line is hit which is permit any.

Now your second ACL is matching 172.16.x.x as source and in this case when 172.16.20.x is seen as source entering vlan 20 there is a hit and packet is denied.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Restricting traffic between VLANs...

In both ACLs the clients are the same with same IP Addressing (one of them is 172.16.10.20/24 and another is 172.16.20.20/24). The same rule also applies when I use extended ACL.

Any ideas?

Thanks

Purple

Restricting traffic between VLANs...

Hi,

As I said before your first ACL is denying 172.16.10.x so when a source of 172.16.20.x is entering the interface with the ingress ACL, there is no hit on the deny as 3rd octet is not matching so it matches the next entry which is permit any.

Now in 2nd ACL when 172.16.20.x is entering the interface it matches the deny as you are denying 172.16.x.x

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
115
Views
0
Helpful
3
Replies