Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need Help Understanding ACL and Reflexive ACL behavoir

I am trying to limit inter-VLAN traffic on a 3750. I need to allow VLAN3's return traffic from VLAN2 which is restricted from accessing VLAN3. Below is relevant config:

interface Vlan2

  ip address 10.1.2.1 255.255.255.0

  ip access-group VLAN2-ACL-IN in

interface Vlan3

  ip address 10.1.3.1 255.255.255.0

  ip access-group VLAN3-ACL-IN in

ip access-list extended VLAN2-ACL-IN in

  evaluate VLAN3-VLAN2-TRAFFIC

  deny ip any 10.1.3.0 0.0.0.255

  permit ip any any

ip access-list extended VLAN3-ACL-IN

  permit ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 reflect VLAN3-VLAN2-TRAFFIC

  permit ip any any

I assumed the above configuration would do the trick but traffic that is initiated from 10.1.3.0/24 destined for 10.1.2.0/24 is not being added to the reflexive access list VLAN3-VLAN2-TRAFFIC. But if I change VLAN3-ACL-IN to:

ip access-list extended VLAN2-ACL-IN in

  deny ip any 10.1.2.0 0.0.0.255

  permit ip 10.1.3.0 0.0.0.255 10.1.2.0 0.0.0.255 reflect VLAN3-VLAN2-TRAFFIC

  permit ip any any

the traffic that is initiated from 10.1.3.0/24 destined for 10.1.2.0/24 does get added to the reflexive access list VLAN3-VLAN2-TRAFFIC. Can someone explain to me way the first version does not reflect the traffic and why the second version does when I would think that the deny statement would block the traffic? 

Thanks in advance for any help, I am still new to Cisco/Netowrking.

36
Views
0
Helpful
0
Replies