Access list question???

Robbo777

Hi I have 3 vlans set up in this topology and a cloud with a loopback address of 8.8.8.8.

Vlan 10
Vlan 20
Vlan 100

Without the access lists they can all ping each other fine and can all reach the loopback to. Here are the 2 access lists:

Vlan10
Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)

Vlan 20

Permit ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Deny ip any 10.10.10.0 0.0.0.255 (for vlan 10)
Permit ip any any (for loopback)

Both are configured on the respective Vlan interfaces and ALL work EXPECT for the top one on vlan 10! An i have no idea why!! Both access lists are configured for "inbound" packetc to the vlan interfaces! Both are applied on the same L3 switch also!

Are there any experts out there that can help??

Thanks guys.

Robbo777

All the others display the UUUU message! I have no idea what's going on with it.

Robbo777

When I take out the deny command on vlan20 it works! So strange.

EdTheLad

Robbo777 wrote: »

Vlan10
Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)

Without knowing exactly what your doing, i guess you have a typo i.e. .0 rather than .255 in the mask.
"Permit ip any 10.10.20.0 0.0.0.0" maybe should be "Permit ip any 10.10.20.0 0.0.0.255"

Robbo777

Sorry!! The typo is on this post haha! It IS 0.0.0.255 in my config. When no access lists are on they can all ping and when they're on, the top one doesn't work, it just times out whereas the other deny statements come back with the correct UUUU. But when I take away with the deny in vlan20 it works!

EdTheLad

Robbo777 wrote: »

Vlan10
Permit ip any 10.10.20.0 0.0.0.255 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)

Translated:

permit any ip packet destined for 10.10.20.x subnet.
deny any ip packet destined for 10.11.100.x subnet
allow any ip packet

It doesn't look like you understand access-lists.
If you want to restrict traffic from vlan 100 going to vlan 10, you should match the src address

deny ip 10.11.100.0 0.0.0.255 any
permit ip any any

same idea on other vlans.

SiRhOSEven

Cannot answer your question because I don't know what you want to accomplish

james43026

I think we all need more information on exactly what the VACL's that you have listed are supposed to do. Can you explain what they are supposed to accomplish? Also a more descriptive explanation of the topology is needed as well.

Robbo777

Okay the topology has 1 L3 switch at the top, connected via a trunk port to a L2 switch, this switch has 4 PC's connected to it, 2 in vlan 10 and 2 in vlan20. I want to grant vlan10 machines access to ping vlan20 machines but vlan20 machines can't ping vlan 10 machines. Everytime I go to ping a vlan20 machine with the access lists on it times out, no UUUU and no successful pings.
Am I getting the "in" and "outbound" wrong or is it something else I need to do.

EdTheLad

Robbo777 wrote: »

I want to grant vlan10 machines access to ping vlan20 machines but vlan20 machines can't ping vlan 10 machines.

If you are blocking ip from 20 to 10; how is 20 supposed to respond to 10s ping? Have a look at using icmp rather than ip in the acl, with icmp you can specify which type to block "echo-request" or "echo-reply".

Robbo777

I need it to be done with IP's though! Is there anyway I could go about doing that? What can I do differently?

Robbo777

Basically is there anyway to let a vlan (vlan10) access another vlan (vlan20) while stopping the other vlan (vlan20) from having access to the other vlan (vlan10)

EdTheLad

Yes, that would be unidirectional traffic flow. If you block ip in one direction, you can ping but you wont get a response, you could enable packet debugging on the remote router and see the pings being received. Ping uses icmp that runs on top of ip, if you block ip you will block icmp.