Access list question???

Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
in CCNA & CCENT
Hi I have 3 vlans set up in this topology and a cloud with a loopback address of 8.8.8.8.

Vlan 10
Vlan 20
Vlan 100

Without the access lists they can all ping each other fine and can all reach the loopback to. Here are the 2 access lists:

Vlan10
Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Permit ip any any (loopback)

Vlan 20

Permit ip any 10.11.100.0 0.0.0.255 (for vlan 100)
Deny ip any 10.10.10.0 0.0.0.255 (for vlan 10)
Permit ip any any (for loopback)

Both are configured on the respective Vlan interfaces and ALL work EXPECT for the top one on vlan 10! An i have no idea why!! Both access lists are configured for "inbound" packetc to the vlan interfaces! Both are applied on the same L3 switch also!

Are there any experts out there that can help??

Thanks guys.
· Share on FacebookShare on Twitter

Comments

  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    All the others display the UUUU message! I have no idea what's going on with it.
    · Share on FacebookShare on Twitter
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    When I take out the deny command on vlan20 it works! So strange.
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    Robbo777 wrote: »
    Vlan10
    Permit ip any 10.10.20.0 0.0.0.0 (for vlan 20)
    Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
    Permit ip any any (loopback)

    Without knowing exactly what your doing, i guess you have a typo i.e. .0 rather than .255 in the mask.
    "Permit ip any 10.10.20.0 0.0.0.0" maybe should be "Permit ip any 10.10.20.0 0.0.0.255"
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Sorry!! The typo is on this post haha! It IS 0.0.0.255 in my config. When no access lists are on they can all ping and when they're on, the top one doesn't work, it just times out whereas the other deny statements come back with the correct UUUU. But when I take away with the deny in vlan20 it works!
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    Robbo777 wrote: »
    Vlan10
    Permit ip any 10.10.20.0 0.0.0.255 (for vlan 20)
    Deny ip any 10.11.100.0 0.0.0.255 (for vlan 100)
    Permit ip any any (loopback)

    Translated:

    permit any ip packet destined for 10.10.20.x subnet.
    deny any ip packet destined for 10.11.100.x subnet
    allow any ip packet

    It doesn't look like you understand access-lists.
    If you want to restrict traffic from vlan 100 going to vlan 10, you should match the src address

    deny ip 10.11.100.0 0.0.0.255 any
    permit ip any any

    same idea on other vlans.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
  • SiRhOSEvenSiRhOSEven Registered Users Posts: 3 ■□□□□□□□□□
    Cannot answer your question because I don't know what you want to accomplish icon_study.gif
    · Share on FacebookShare on Twitter
  • james43026james43026 Member Posts: 303 ■■□□□□□□□□
    I think we all need more information on exactly what the VACL's that you have listed are supposed to do. Can you explain what they are supposed to accomplish? Also a more descriptive explanation of the topology is needed as well.
    · Share on FacebookShare on Twitter
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Okay the topology has 1 L3 switch at the top, connected via a trunk port to a L2 switch, this switch has 4 PC's connected to it, 2 in vlan 10 and 2 in vlan20. I want to grant vlan10 machines access to ping vlan20 machines but vlan20 machines can't ping vlan 10 machines. Everytime I go to ping a vlan20 machine with the access lists on it times out, no UUUU and no successful pings.
    Am I getting the "in" and "outbound" wrong or is it something else I need to do.
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    Robbo777 wrote: »
    I want to grant vlan10 machines access to ping vlan20 machines but vlan20 machines can't ping vlan 10 machines.

    If you are blocking ip from 20 to 10; how is 20 supposed to respond to 10s ping? Have a look at using icmp rather than ip in the acl, with icmp you can specify which type to block "echo-request" or "echo-reply".
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    I need it to be done with IP's though! Is there anyway I could go about doing that? What can I do differently?
    · Share on FacebookShare on Twitter
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Basically is there anyway to let a vlan (vlan10) access another vlan (vlan20) while stopping the other vlan (vlan20) from having access to the other vlan (vlan10)
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    Yes, that would be unidirectional traffic flow. If you block ip in one direction, you can ping but you wont get a response, you could enable packet debugging on the remote router and see the pings being received. Ping uses icmp that runs on top of ip, if you block ip you will block icmp.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
Sign In or Register to comment.