Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
5
Helpful
2
Replies

Access lists applied to Vlan are not working as intended

Stephen Carville
Level 1
Level 1

‎10-27-2017 08:47 AM - edited ‎03-01-2019 06:12 PM

I set up two access lists -- one for inbound traffic; the other for outbound. The purpose is to create a Vlan to quarantine Vlan machines in the VmWare environment that get infected with malware.

ip access-list extended vlan499in
10 permit ip host 10.212.3.3 any
20 permit ip host 10.212.3.99 any
30 permit ip host 10.212.3.26 any
40 permit ip host 10.212.3.27 any
50 permit ip host 10.212.3.61 any
60 permit ip host 198.204.114.92 any
100 deny ip any any
ip access-list extended vlan499out
10 permit ip any host 10.212.3.3
20 permit ip any host 10.212.3.99
30 permit ip any host 10.212.3.26
40 permit ip any host 10.212.3.27
50 permit ip any host 10.212.3.61
60 permit ip any host 198.204.114.92
100 deny ip any any

Then I apply them to Vlan 499

interface Vlan499
description Kill it with fire
ip address 192.168.192.1 255.255.255.0
ip access-group vlan499in in
ip access-group vlan499out out
ip helper-address 10.212.3.99
end

Problem is when I apply them, no traffic can get in or out as far as I can tell. Even if I set the IP manually, the clients report "Destination net unreachable" and the target server outside never sees the traffic. If I remove the access lists, all works correctly.

The rules look right to me but I am, obviously, doing something wrong. Any help is appreciated.

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎10-28-2017 09:44 AM

Hi @Stephen Carville

If you are saying those host are not passing traffic then you have a problem but if you are saying hosts different from those on the ACL is not passing traffic then this is the expected behavior.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

dperezoquendo
Level 1
Level 1

‎11-01-2017 11:02 AM - edited ‎11-01-2017 11:40 AM

Hello,

I think you need to permit your vlan 499 network within the ACLs. Right now it appears it's being denied via the "deny ip any any" statement.

 

Edit: Disregard above statement, for some reason I didn't realize the "any" statements. 

 

Edit2: Maybe try following:

ip access-list extended vlan499

10 permit ip 192.168.192.0 0.0.0.255 any

20 permit ip host 10.212.3.3 any

30 permit ip host 10.212.3.99 any

40 permit ip host 10.212.3.26 any

50 permit ip host 10.212.3.27 any

60 permit ip host 10.212.3.61 any

70 permit ip host 198.204.114.92 any

100 deny ip any any log

 !

interface Vlan499

description Kill it with fire

ip access-group vlan499 in

ip access-group vlan499 out

Customers Also Viewed These Support Documents