Access list question???

Robbo777Robbo777 Posts: 330Member
Hi I have 3 vlans set up in this topology and a cloud with a loopback address of 8.8.8.8.

Vlan 10
Vlan 20
Vlan 100

Without the access lists they can all ping each other fine and can all reach the loopback to. Here are the 2 access lists:

Vlan10
Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)

Vlan 20

Permit ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Deny ip any 10.10.10.0 0.0.0.255 (for vlan 10)
Permit ip any any (for loopback)

Both are configured on the respective Vlan interfaces and ALL work EXPECT for the top one on vlan 10! An i have no idea why!! Both access lists are configured for "inbound" packetc to the vlan interfaces! Both are applied on the same L3 switch also!

Are there any experts out there that can help??

Thanks guys.

Comments

  • Robbo777Robbo777 Posts: 330Member
    All the others display the UUUU message! I have no idea what's going on with it.
  • Robbo777Robbo777 Posts: 330Member
    When I take out the deny command on vlan20 it works! So strange.
  • EdTheLadEdTheLad Posts: 2,112Member
    Robbo777 wrote: »
    Vlan10
    Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
    Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
    Permit ip any any (loopback)

    Without knowing exactly what your doing, i guess you have a typo i.e. .0 rather than .255 in the mask.
    "Permit ip any 10.10.20.0 0.0.0.0" maybe should be "Permit ip any 10.10.20.0 0.0.0.255"
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • Robbo777Robbo777 Posts: 330Member
    Sorry!! The typo is on this post haha! It IS 0.0.0.255 in my config. When no access lists are on they can all ping and when they're on, the top one doesn't work, it just times out whereas the other deny statements come back with the correct UUUU. But when I take away with the deny in vlan20 it works!
  • EdTheLadEdTheLad Posts: 2,112Member
    Robbo777 wrote: »
    Vlan10
    Permit ip any 10.10.20.0 0.0.0.255 (for vlan 20)
    Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
    Permit ip any any (loopback)

    Translated:

    permit any ip packet destined for 10.10.20.x subnet.
    deny any ip packet destined for 10.11.100.x subnet
    allow any ip packet

    It doesn't look like you understand access-lists.
    If you want to restrict traffic from vlan 100 going to vlan 10, you should match the src address

    deny ip 10.11.100.0 0.0.0.255 any
    permit ip any any

    same idea on other vlans.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • SiRhOSEvenSiRhOSEven Posts: 3Registered Users ■□□□□□□□□□
    Cannot answer your question because I don't know what you want to accomplish icon_study.gif
  • james43026james43026 Posts: 303Member
    I think we all need more information on exactly what the VACL's that you have listed are supposed to do. Can you explain what they are supposed to accomplish? Also a more descriptive explanation of the topology is needed as well.
  • Robbo777Robbo777 Posts: 330Member
    Okay the topology has 1 L3 switch at the top, connected via a trunk port to a L2 switch, this switch has 4 PC's connected to it, 2 in vlan 10 and 2 in vlan20. I want to grant vlan10 machines access to ping vlan20 machines but vlan20 machines can't ping vlan 10 machines. Everytime I go to ping a vlan20 machine with the access lists on it times out, no UUUU and no successful pings.
    Am I getting the "in" and "outbound" wrong or is it something else I need to do.
  • EdTheLadEdTheLad Posts: 2,112Member
    Robbo777 wrote: »
    I want to grant vlan10 machines access to ping vlan20 machines but vlan20 machines can't ping vlan 10 machines.

    If you are blocking ip from 20 to 10; how is 20 supposed to respond to 10s ping? Have a look at using icmp rather than ip in the acl, with icmp you can specify which type to block "echo-request" or "echo-reply".
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
  • Robbo777Robbo777 Posts: 330Member
    I need it to be done with IP's though! Is there anyway I could go about doing that? What can I do differently?
  • Robbo777Robbo777 Posts: 330Member
    Basically is there anyway to let a vlan (vlan10) access another vlan (vlan20) while stopping the other vlan (vlan20) from having access to the other vlan (vlan10)
  • EdTheLadEdTheLad Posts: 2,112Member
    Yes, that would be unidirectional traffic flow. If you block ip in one direction, you can ping but you wont get a response, you could enable packet debugging on the remote router and see the pings being received. Ping uses icmp that runs on top of ip, if you block ip you will block icmp.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
Sign In or Register to comment.