InterVLAN Isolation/Blocking problem
Comments
-
jason_leong7
Member Posts: 16 ■□□□□□□□□□
yeah...fixed length..
However, for blocking interVLAN VLAN 100 to VLAN 255 ( I used until 255 just in case of VLAN expansion in the future)...i used the following ACL
ip access-list extended VLAN100_out
5 permit ip any 10.0.100.0 0.0.0.255
10 deny ip any 10.0.100.0 0.0.3.255
20 deny ip any 10.0.104.0 0.0.7.255
30 deny ip any 10.0.112.0 0.0.15.255
40 deny ip any 10.0.128.0 0.0.254.255
interface VLAN 100
ip access-group VLAN100_out in
but ...the a problem lies in
40 deny ip any 10.0.128.0 0.0.254.255
coz it matches in this ACL when i do a continous ping to the internet
i fail to connect to the internet and VLAN 50. The ACLs should only from block from VLAN 100 to VLAN 255, but it block VLAN 50 and internet...doesnt make sense..anyone can spot my mistake?[/b] -
tech-airman
Member Posts: 953
jason_leong7 wrote:yeah...fixed length..
However, for blocking interVLAN VLAN 100 to VLAN 255 ( I used until 255 just in case of VLAN expansion in the future)...i used the following ACL
ip access-list extended VLAN100_out
5 permit ip any 10.0.100.0 0.0.0.255
10 deny ip any 10.0.100.0 0.0.3.255
20 deny ip any 10.0.104.0 0.0.7.255
30 deny ip any 10.0.112.0 0.0.15.255
40 deny ip any 10.0.128.0 0.0.254.255
interface VLAN 100
ip access-group VLAN100_out in
but ...the a problem lies in
40 deny ip any 10.0.128.0 0.0.254.255
coz it matches in this ACL when i do a continous ping to the internet
i fail to connect to the internet and VLAN 50. The ACLs should only from block from VLAN 100 to VLAN 255, but it block VLAN 50 and internet...doesnt make sense..anyone can spot my mistake?[/b]
jason_leong7,
What is the subnet address and subnet mask for VLAN 50? -
jason_leong7
Member Posts: 16 ■□□□□□□□□□
tech-airman wrote:
jason_leong7,
What is the subnet address and subnet mask for VLAN 50?
ooo...my IP addressing scheme and VLAN Assignment,
10.0.40.X --> VLAN 40
10.0.50.X --> VLAN 50
10.0.123.X --> VLAN 123
i guess u get the pattern
subnet mask is always /24....easy for network manager's management but wasteful on IP.. -
tech-airman
Member Posts: 953
jason_leong7 wrote:tech-airman wrote:
jason_leong7,
What is the subnet address and subnet mask for VLAN 50?
ooo...my IP addressing scheme and VLAN Assignment,
10.0.50.X --> VLAN 50
subnet mask is always /24....easy for network manager's management but wasteful on IP..
jason_leong7,
So how did you determine the following?jason_leong7 wrote:but ...the a problem lies in
40 deny ip any 10.0.128.0 0.0.254.255
coz it matches in this ACL when i do a continous ping to the internet
i fail to connect to the internet and VLAN 50. The ACLs should only from block from VLAN 100 to VLAN 255, but it block VLAN 50 and internet...
Since VLAN 50 is 10.0.50.0/24, applying the wildcard mask of 0.0.254.255 to it would result in 10.0.0.0 which when compared to 10.0.128.0 is NOT a match, so how could a ping FROM VLAN 100 or subnet address 10.0.100.0 destined for 10.0.50.0 be blocked by the "40 deny ip any 10.0.128.0 0.0.254.255" access list line? -
jason_leong7
Member Posts: 16 ■□□□□□□□□□
40 deny ip any 10.0.128.0 0.0.254.255
was supposed to block 10.0.128.0 till 10.0.255.255...
\
but i found my mistake...i forgot a permit ip any any at the end of the statement...which would have a deny any any at the end without it...
sorry....
but still..do u think the access-list is good enough?..
p/s ...just found out about it when i came back home from office...i will rectify it tomorrow.