Solved

Vlan Access - List confusion

Posted on 2007-11-27
6
4,972 Views
Last Modified: 2013-11-29
Two Pc's in two 2 Vlans
PC A - 10.20.20.39 /23 in Vlan A (Vlan A details - ip address10.20.20.1 255.255.254.0)
PC B - 192.168.50.50 /24 in Vlan B ( Vlan B details - ip address 192.168.50.1 255.255.255.0)

This access list applied on interface on Vlan B

ip access-list extended Test_Network_Vlan
 deny   ip any 10.20.20.0 0.0.1.255
 permit ip any any

using Ping to test

Applying the access-list with the IN command
Traffic gets from PC A to B but not from B back to A and ping fails - as expected
If I ping the other way then traffic simply won't get from B to A in the first place so there is no reply - as expexted.

Applying the access-list with the OUT command
All traffic gets through wherever I ping from.
When pinging frob B to A Packets still have source B dest A and have to cross this access list and
I can't see how they get through.

Same applies the other way, I can see why A's ping request packets get through but the replies source PC-B to PC-A should fail but they don't they just sail through

I must be missing something obvious - can anyone help

Cheers
Jo
0
Comment
Question by:jrb139
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20359225
What should be happening:

Inbound on VLANB interface should have no effect on traffic.
Outbound on VLANB interface should block all traffic from A network to B network.

Can you post the actual config?
0
 

Author Comment

by:jrb139
ID: 20359501
I think these are the only parts of the config that are relevant

!
interface Vlan200
 description *** Test Network ***
 ip address 192.168.50.1 255.255.255.0
 ip access-group Test_Network_Vlan out     //I have been changing this  IN to OUT during the test
!
!
interface Vlan2
 description ** Staff_LAN **
 ip address 10.20.20.1 255.255.254.0
 !

!
ip access-list extended Test_Network_Vlan
 deny   ip any 10.20.20.0 0.0.1.255
 permit ip any any
!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20359587
The behavior is correct for your access-list. What's the problem?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jrb139
ID: 20364113
Access list applied outbound on Vlan B
ping From B to A
Traffic still goes through the access list
Source 192.168.50.50 Dest 10.20.20.39

This should hit the deny statement and fail surely?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 20365519
If the ACL is applied outbound on the VLAN200 interface then traffic from VLAN 200 won't be affected by the ACL as it is inbound traffic on that interface.
0
 

Author Comment

by:jrb139
ID: 20394429
That is indeed a a pretty succinct statement that does explain it. Its taken me a while to get my head round this and I have had laptops in both Vlans running wireshark and pinging eachother. I think I have it figured now. Thanks for the help.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question