Access list question???

in CCNA & CCENT
Hi I have 3 vlans set up in this topology and a cloud with a loopback address of 8.8.8.8.
Vlan 10
Vlan 20
Vlan 100
Without the access lists they can all ping each other fine and can all reach the loopback to. Here are the 2 access lists:
Vlan10
Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)
Vlan 20
Permit ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Deny ip any 10.10.10.0 0.0.0.255 (for vlan 10)
Permit ip any any (for loopback)
Both are configured on the respective Vlan interfaces and ALL work EXPECT for the top one on vlan 10! An i have no idea why!! Both access lists are configured for "inbound" packetc to the vlan interfaces! Both are applied on the same L3 switch also!
Are there any experts out there that can help??
Thanks guys.
Vlan 10
Vlan 20
Vlan 100
Without the access lists they can all ping each other fine and can all reach the loopback to. Here are the 2 access lists:
Vlan10
Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)
Vlan 20
Permit ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Deny ip any 10.10.10.0 0.0.0.255 (for vlan 10)
Permit ip any any (for loopback)
Both are configured on the respective Vlan interfaces and ALL work EXPECT for the top one on vlan 10! An i have no idea why!! Both access lists are configured for "inbound" packetc to the vlan interfaces! Both are applied on the same L3 switch also!
Are there any experts out there that can help??
Thanks guys.
Comments
Without knowing exactly what your doing, i guess you have a typo i.e. .0 rather than .255 in the mask.
"Permit ip any 10.10.20.0 0.0.0.0" maybe should be "Permit ip any 10.10.20.0 0.0.0.255"
Translated:
permit any ip packet destined for 10.10.20.x subnet.
deny any ip packet destined for 10.11.100.x subnet
allow any ip packet
It doesn't look like you understand access-lists.
If you want to restrict traffic from vlan 100 going to vlan 10, you should match the src address
deny ip 10.11.100.0 0.0.0.255 any
permit ip any any
same idea on other vlans.
Am I getting the "in" and "outbound" wrong or is it something else I need to do.
If you are blocking ip from 20 to 10; how is 20 supposed to respond to 10s ping? Have a look at using icmp rather than ip in the acl, with icmp you can specify which type to block "echo-request" or "echo-reply".