Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Simple ACL Not Working

Hi there,

I have what I thought would be a simple ACL.  See the attached overview.  I have applied an ACL to a port connected to a Dell switch.  All the machines on this Dell switch live on the 172.10.x.x network.  I have a single server (on another subnet) hanging off the Cisco switch that I want to allow traffic to as well as a couple of machines hanging off the Cisco that belong to the 172.10.x.x network that need to communicate over to the Dell switch.  Here was my thought process:

1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)

2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100  – Ingress

3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress

4 – Apply to port connecting Cisco switch to Dell switch

When I apply the ACL I am unable to ping 172.10.0.50 from 172.20.100.100 - what am I missing?!?!?!

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Simple ACL Not Working

The subnet masks in your PDF look wierd, the switch is using reverse masking so the address and mask would be,

1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)

but the switch looks at ingress not egress.

2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100  – Ingress

172.10.0.0  mask= 0.0.255.255  to 172.20.100.100  mask=0.0.0.0

3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress

172.20.100.100  mask=0.0.0.0  to 172.10.0.0  mask=0.0.255.255

 

there are plenty examples of access-list for 300 series switches within this community, try a search and see what you get for more examples.

regards Dave    

3 REPLIES

Re: Simple ACL Not Working

The subnet masks in your PDF look wierd, the switch is using reverse masking so the address and mask would be,

1 – Allow all traffic FROM a 172.10.x.x address TO a 172.10.x.x network (Handles both directions)

but the switch looks at ingress not egress.

2 – Allow all traffic FROM a 172.10.x.x address TO address 172.20.100.100  – Ingress

172.10.0.0  mask= 0.0.255.255  to 172.20.100.100  mask=0.0.0.0

3 – Allow all traffic FROM 172.20.100.100 to any 172.10.x.x address - Egress

172.20.100.100  mask=0.0.0.0  to 172.10.0.0  mask=0.0.255.255

 

there are plenty examples of access-list for 300 series switches within this community, try a search and see what you get for more examples.

regards Dave    

New Member

Re: Simple ACL Not Working

Sometimes I take things a bit to literally... thanks David.

Re: Simple ACL Not Working

Hi

Sometimes i wish we didn't use inverse masking on ACL.  But I am glad you are up and running.

regards Dave

434
Views
0
Helpful
3
Replies
CreatePlease to create content