ACL help

Shanman

Ok guys I am getting very frustrated here. I have a quick question on my ACL.

First let me start off with what I am doing. I have created a vlan on a layer 3 switch that will be a guest network that will need no services other then facing the internet. This is taken care of. I want this vlan to be separated from the other vlans. The address block I am using for this vlan is 10.18.11.0\24.

I created a ACL with no lines so the implied deny everything line should stop all traffic. I have applied the ACL to the vlan SVI on inbound and outbound but I am still able to ping it from other vlans??? On the same layer 3 switch I am using this command to test "ping ip 10.18.11.1 source x.x.xx" why would this be happening? Am I missing something here?

binargs

what does the acl say? can you list that?
do you have a routing protocal between the networks? nat?

just from experience, if you are on an asa device you can set the vlan with levels with only the higher level able to access th elower and no vice versa. you can also do a no forward command.

Shanman

binargs wrote: »

what does the acl say? can you list that?
do you have a routing protocal between the networks? nat?

just from experience, if you are on an asa device you can set the vlan with levels with only the higher level able to access th elower and no vice versa. you can also do a no forward command.

The ACL is blank. So it should theoretically deny everything in and out of the vlan right? I have the ACL applied on the vlan interface for outbound and inbound traffic.

The route to get out is a default route to the ASA but with this ACL applied it should being denying this traffic as well. I am puzzled.

CodeBlox

Not sure if ACLs apply in the same manner to SVI interfaces but, why not just create an ACL on the physical interfaces denying traffic to all other vlans?

Shanman

Just for goo measure I wrote one line in the ACL. "Deny ip any any". This will for sure block all traffic. Like I have said before it is applied in inbound and outbound. What is weird is that when I ping with the source address of the guest vlan "10.18.11.1/24 to another vlan's gateway I get a no reply but if I ping a host within that vlan from the guest's vlan gateway I get a reply.

Sorry if this explanation is getting confusing. I am just trying to get my head around this.

I do not want to put this ACL on the physical interface and from what I have read you can use the SVI interface for this.

Forsaken_GA

Works fine for me

Rack7SW4#sh run int vlan4
Building configuration...

Current configuration : 105 bytes
!
interface Vlan4
ip address 163.7.4.10 255.255.255.0
ip access-group 1 in
ip access-group 1 out
end

Rack7SW4#sh access-list
Standard IP access list 1
10 deny any


Rack7R5#ping 163.7.4.4 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 163.7.4.4, timeout is 2 seconds:
Packet sent with a source address of 150.7.5.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/60 ms
Rack7R5#ping 163.7.4.10 so
Rack7R5#ping 163.7.4.10 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 163.7.4.10, timeout is 2 seconds:
Packet sent with a source address of 150.7.5.5
U.U.U
Success rate is 0 percent (0/5)
Rack7R5#sh run int lo0
Building configuration...

Current configuration : 113 bytes
!
interface Loopback0
ip address 150.7.5.5 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0
end

It's not functioning as a gateway host, just a regular routed port (163.7.4.4 is the actual gateway for the vlan), but the SVI in vlan4 drops the packet just fine

Shanman

Well I figured out what I was doing wrong. As soon as I got out of access list configuration mode it applied and worked. Man I feel dumb!! Thanks guys, guess I was in to big of a hurry.