Cisco Support Community

Unusual access-list behavior

I have a 3550 layer 3 across which i have about 10 VLANS. My requirement is to restrict the access to VLAN 6 ( from the management network ( except for the host IPS mentioned in the access-list.

But even after i apply the access-list iam able to reach all the systems in VLAN 6 from management subnet.

When i add the following entry access-list 106 deny ip any any then only the access is restricted.

As every access-list has a default deny any any command at the end why is that iam required to enter the command. also even after i enter the command iam able to ping from management subnet.

Does anyone have a clue for this type of behaviour or is it because of a bug.

I am using 3550 IOS 121-11.EA1



Re: Unusual access-list behavior


from what I can tell from your access list, the statements are in the wrong order:

If e.g. you want only host to access the VLAN, the statement would need to look like this:

access-list 106 permit ip host

I am not sure if I fully understand your access list, but you might want to put the 'log' keyword after each entry and then check the console to see which line matches when you access the VLAN from a source that you consider to be blocked...

Does that make sense ?



Community Member

Re: Unusual access-list behavior


Just to be sure, Management Network Subnet has 13 mask right? If so, i couldnt see any entry on the access-list about So they should be restricted according to your config.

And try apply packets OUT DIRECTION

ip access-group 106 out

Because packets will be coming from outside...

Pls Rate all Posts!

Re: Unusual access-list behavior


I think the order should not matter. If the entry is not blocked atleast the reply should be blocked.

i am not sure about the direction either since the management subnet is accessing from outside and is entering the VLAN. Anyway i will surely try this and let you know.



CreatePlease to create content