Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Intra Vlan ACLS issues

Hello my issue is regarding Intra-vlan ACL's. I have several vlans below in an example of what I am trying to set up using named lists. This is a 3550 EMI. I have tried several configurations regarding inbound and outbound applications to the vlan interface and I seem to get the same results that if a packet hits one rule it is allowing the traffic in both directions IE I just apply the permit tcp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 on the inbound direction and it allows all the traffic from both 10.8.20.0 and 10.8.16.228 both ways. I watch my counters and establish sessions both ways. So when I break up the acls to inbound and outbound I get hits on both groups but when I remove one group and the traffic still flows both ways. I want to be able to establish communications from may subnets back to the 10.8.20.0 but do not what that subnet establishing them back to the other subnets

Second question I have is since both of these vlans are on the same box and .1 is the interface of each they can see each others .1 address in effect also their subnet as well as vty access. How do I block in this case vlan601 from accessing vty or even being able to ping the interface of another connected vlan? I have tried using a host entry with the interface IP and that did not work either.

!

interface Vlan601

ip address 10.8.1.1 255.255.254.0

!

interface Vlan45

ip address 10.8.20.1 255.255.255.192

ip access-group Sin in

ip access-group Sout out

ip access-list extended Sin

permit icmp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log

permit icmp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log

permit icmp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log

permit icmp 10.8.20.0 0.0.0.63 10.1.18.4 0.0.0.3 log

permit tcp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log

permit tcp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log

permit tcp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log

permit tcp 10.8.20.0 0.0.0.63 10.1.18.4 0.0.0.3 log

deny icmp any any log

deny ip any any log-input

ip access-list extended Sout

permit icmp 10.8.8.240 0.0.0.7 10.8.20.0 0.0.0.63 log

permit icmp 10.8.16.248 0.0.0.7 10.8.20.0 0.0.0.63 log

permit icmp 10.1.30.0 0.0.0.255 10.8.20.0 0.0.0.63 log

permit icmp 10.1.8.4 0.0.0.3 10.8.20.0 0.0.0.63 log

permit tcp 10.8.8.248 0.0.0.7 10.8.20.0 0.0.0.63 log

permit tcp 10.8.16.248 0.0.0.7 10.8.20.0 0.0.0.63 log

permit tcp 10.1.30.0 0.0.0.255 10.8.20.0 0.0.0.63 log

permit tcp 10.1.18.4 0.0.0.3 10.8.20.0 0.0.0.63 log

deny icmp any any log

deny ip any any log-input

!

Thanks much

Brett

1 REPLY
New Member

Re: Intra Vlan ACLS issues

Another example is where I moved all the rules to a single inbound list and sent 4 pings on from each from the 8.20 .0 and the 1.30.0 and all 8 ended up on the same rule. I am confused as to if source and destination really mean anything in the ACL's as I have a one way deny right below it that never gets touched

Extended IP access list Sin

permit icmp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log-input

permit icmp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log-input

permit icmp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log-input (8 matches)

deny icmp 10.1.30.0 0.0.0.255 10.8.20.0 0.0.0.63 log-input

permit icmp 10.8.20.0 0.0.0.63 10.1.18.4 0.0.0.3 log-input

permit tcp 10.8.20.0 0.0.0.63 10.8.8.248 0.0.0.7 log-input

permit tcp 10.8.20.0 0.0.0.63 10.8.16.248 0.0.0.7 log-input

permit tcp 10.8.20.0 0.0.0.63 10.1.30.0 0.0.0.255 log-input

permit icmp 10.8.8.240 0.0.0.7 10.8.20.0 0.0.0.63 log-input

permit icmp 10.8.16.248 0.0.0.7 10.8.20.0 0.0.0.63 log-input

87
Views
0
Helpful
1
Replies
CreatePlease to create content