ACL help

ShanmanShanman Member Posts: 223
Ok guys I am getting very frustrated here. I have a quick question on my ACL.

First let me start off with what I am doing. I have created a vlan on a layer 3 switch that will be a guest network that will need no services other then facing the internet. This is taken care of. I want this vlan to be separated from the other vlans. The address block I am using for this vlan is 10.18.11.0\24.

I created a ACL with no lines so the implied deny everything line should stop all traffic. I have applied the ACL to the vlan SVI on inbound and outbound but I am still able to ping it from other vlans??? On the same layer 3 switch I am using this command to test "ping ip 10.18.11.1 source x.x.xx" why would this be happening? Am I missing something here?

Comments

  • binargsbinargs Member Posts: 55 ■■□□□□□□□□
    what does the acl say? can you list that?
    do you have a routing protocal between the networks? nat?

    just from experience, if you are on an asa device you can set the vlan with levels with only the higher level able to access th elower and no vice versa. you can also do a no forward command.
  • ShanmanShanman Member Posts: 223
    binargs wrote: »
    what does the acl say? can you list that?
    do you have a routing protocal between the networks? nat?

    just from experience, if you are on an asa device you can set the vlan with levels with only the higher level able to access th elower and no vice versa. you can also do a no forward command.


    The ACL is blank. So it should theoretically deny everything in and out of the vlan right? I have the ACL applied on the vlan interface for outbound and inbound traffic.

    The route to get out is a default route to the ASA but with this ACL applied it should being denying this traffic as well. I am puzzled.
  • CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    Not sure if ACLs apply in the same manner to SVI interfaces but, why not just create an ACL on the physical interfaces denying traffic to all other vlans?
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
  • ShanmanShanman Member Posts: 223
    Just for goo measure I wrote one line in the ACL. "Deny ip any any". This will for sure block all traffic. Like I have said before it is applied in inbound and outbound. What is weird is that when I ping with the source address of the guest vlan "10.18.11.1/24 to another vlan's gateway I get a no reply but if I ping a host within that vlan from the guest's vlan gateway I get a reply.

    Sorry if this explanation is getting confusing. I am just trying to get my head around this.

    I do not want to put this ACL on the physical interface and from what I have read you can use the SVI interface for this.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    Works fine for me

    Rack7SW4#sh run int vlan4
    Building configuration...

    Current configuration : 105 bytes
    !
    interface Vlan4
    ip address 163.7.4.10 255.255.255.0
    ip access-group 1 in
    ip access-group 1 out
    end

    Rack7SW4#sh access-list
    Standard IP access list 1
    10 deny any


    Rack7R5#ping 163.7.4.4 source lo0

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 163.7.4.4, timeout is 2 seconds:
    Packet sent with a source address of 150.7.5.5
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms
    Rack7R5#ping 163.7.4.10 so
    Rack7R5#ping 163.7.4.10 source lo0

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 163.7.4.10, timeout is 2 seconds:
    Packet sent with a source address of 150.7.5.5
    U.U.U
    Success rate is 0 percent (0/5)
    Rack7R5#sh run int lo0
    Building configuration...

    Current configuration : 113 bytes
    !
    interface Loopback0
    ip address 150.7.5.5 255.255.255.0
    ip ospf network point-to-point
    ip ospf 1 area 0
    end

    It's not functioning as a gateway host, just a regular routed port (163.7.4.4 is the actual gateway for the vlan), but the SVI in vlan4 drops the packet just fine
  • ShanmanShanman Member Posts: 223
    Well I figured out what I was doing wrong. As soon as I got out of access list configuration mode it applied and worked. Man I feel dumb!! Thanks guys, guess I was in to big of a hurry.
Sign In or Register to comment.