I have a 3550-12g running IOS v12.2(25)SEE2. I have created an ACL to apply to a VLAN interface. Here is the ACL:
ip access-list extended Block_Access
deny ip 10.31.170.0 0.0.0.255
deny ip 10.31.170.0 0.0.0.255 10.5.140.0 0.0.0.255
deny ip 10.31.170.0 0.0.0.255 10.21.140.0 0.0.0.255
deny ip 10.31.170.0 0.0.0.255 10.22.140.0 0.0.0.255
deny ip 10.31.170.0 0.0.0.255 10.31.140.0 0.0.0.255
permit ip any any
Whenever I apply the above ACL using the "ip access-group <name> out" to the VLAN internface, the ACL doesn't work. If I apply the same command using "in" instead of "out" it does apply the ACL. The VLAN interface I am trying to apply this ACL to is configured as follows:
ip address 10.31.170.5 255.255.255.0
ip helper-address 10.31.110.10
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
I am wondering if I do not have something configured properly or am I missing anything.
We need to understand how you decide that the access list is not working. The access list is denying traffic sourced from 10.31.170.0. If you are testing the access list by testing from the router (doing ping or traceroute or something similar) then the explanation is that an outbound access list will NOT filter traffic generated from the router itself. If you are testing with traffic generated from some end station connected to the router then we need to understand more about the topology of your network.
In a nutshell, I am trying to deny outbound traffic from the 10.31.170.0/24 network to the subnets list in the ACL, then permit traffic to any other destination. Based on the ACL, if an IP packet originates from 10.31.170.0/24 and is destined for 10.5.140.0/24 then it needs to be denied. The only VLAN interface that is configured on the same switch as the VLAN170 interface is the VLAN140 interface (10.31.140.5 for the 10.31.140.0/24 subnet). All other subnets listed in the ACL have their VLAN interfaces configured on different switches. EIGRP is configured for routing to these VLANs. I can ping back-and-forth so I know that basic IP routing and connectivity is working properly.
I am just confused as to why I can apply an ACL "inbound" on the VLAN170 interface and it works, but it does not work if I apply it "outbound".
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...