Access list question???
Robbo777
Member Posts: 331 ■■■□□□□□□□
in CCNA & CCENT
Hi I have 3 vlans set up in this topology and a cloud with a loopback address of 8.8.8.8.
Vlan 10
Vlan 20
Vlan 100
Without the access lists they can all ping each other fine and can all reach the loopback to. Here are the 2 access lists:
Vlan10
Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)
Vlan 20
Permit ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Deny ip any 10.10.10.0 0.0.0.255 (for vlan 10)
Permit ip any any (for loopback)
Both are configured on the respective Vlan interfaces and ALL work EXPECT for the top one on vlan 10! An i have no idea why!! Both access lists are configured for "inbound" packetc to the vlan interfaces! Both are applied on the same L3 switch also!
Are there any experts out there that can help??
Thanks guys.
Vlan 10
Vlan 20
Vlan 100
Without the access lists they can all ping each other fine and can all reach the loopback to. Here are the 2 access lists:
Vlan10
Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)
Vlan 20
Permit ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Deny ip any 10.10.10.0 0.0.0.255 (for vlan 10)
Permit ip any any (for loopback)
Both are configured on the respective Vlan interfaces and ALL work EXPECT for the top one on vlan 10! An i have no idea why!! Both access lists are configured for "inbound" packetc to the vlan interfaces! Both are applied on the same L3 switch also!
Are there any experts out there that can help??
Thanks guys.
Comments
-
Robbo777 Member Posts: 331 ■■■□□□□□□□All the others display the UUUU message! I have no idea what's going on with it.
-
Robbo777 Member Posts: 331 ■■■□□□□□□□When I take out the deny command on vlan20 it works! So strange.
-
EdTheLad Member Posts: 2,111 ■■■■□□□□□□Vlan10
Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)
Without knowing exactly what your doing, i guess you have a typo i.e. .0 rather than .255 in the mask.
"Permit ip any 10.10.20.0 0.0.0.0" maybe should be "Permit ip any 10.10.20.0 0.0.0.255"Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
Robbo777 Member Posts: 331 ■■■□□□□□□□Sorry!! The typo is on this post haha! It IS 0.0.0.255 in my config. When no access lists are on they can all ping and when they're on, the top one doesn't work, it just times out whereas the other deny statements come back with the correct UUUU. But when I take away with the deny in vlan20 it works!
-
EdTheLad Member Posts: 2,111 ■■■■□□□□□□Vlan10
Permit ip any 10.10.20.0 0.0.0.255 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)
Translated:
permit any ip packet destined for 10.10.20.x subnet.
deny any ip packet destined for 10.11.100.x subnet
allow any ip packet
It doesn't look like you understand access-lists.
If you want to restrict traffic from vlan 100 going to vlan 10, you should match the src address
deny ip 10.11.100.0 0.0.0.255 any
permit ip any any
same idea on other vlans.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
SiRhOSEven Registered Users Posts: 3 ■□□□□□□□□□Cannot answer your question because I don't know what you want to accomplish
-
james43026 Member Posts: 303 ■■□□□□□□□□I think we all need more information on exactly what the VACL's that you have listed are supposed to do. Can you explain what they are supposed to accomplish? Also a more descriptive explanation of the topology is needed as well.
-
Robbo777 Member Posts: 331 ■■■□□□□□□□Okay the topology has 1 L3 switch at the top, connected via a trunk port to a L2 switch, this switch has 4 PC's connected to it, 2 in vlan 10 and 2 in vlan20. I want to grant vlan10 machines access to ping vlan20 machines but vlan20 machines can't ping vlan 10 machines. Everytime I go to ping a vlan20 machine with the access lists on it times out, no UUUU and no successful pings.
Am I getting the "in" and "outbound" wrong or is it something else I need to do. -
EdTheLad Member Posts: 2,111 ■■■■□□□□□□I want to grant vlan10 machines access to ping vlan20 machines but vlan20 machines can't ping vlan 10 machines.
If you are blocking ip from 20 to 10; how is 20 supposed to respond to 10s ping? Have a look at using icmp rather than ip in the acl, with icmp you can specify which type to block "echo-request" or "echo-reply".Networking, sometimes i love it, mostly i hate it.Its all about the $$$$ -
Robbo777 Member Posts: 331 ■■■□□□□□□□I need it to be done with IP's though! Is there anyway I could go about doing that? What can I do differently?
-
Robbo777 Member Posts: 331 ■■■□□□□□□□Basically is there anyway to let a vlan (vlan10) access another vlan (vlan20) while stopping the other vlan (vlan20) from having access to the other vlan (vlan10)
-
EdTheLad Member Posts: 2,111 ■■■■□□□□□□Yes, that would be unidirectional traffic flow. If you block ip in one direction, you can ping but you wont get a response, you could enable packet debugging on the remote router and see the pings being received. Ping uses icmp that runs on top of ip, if you block ip you will block icmp.Networking, sometimes i love it, mostly i hate it.Its all about the $$$$