Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Vlan Access - List confusion

Posted on 2007-11-27
6
Medium Priority
?
4,974 Views
Last Modified: 2013-11-29
Two Pc's in two 2 Vlans
PC A - 10.20.20.39 /23 in Vlan A (Vlan A details - ip address10.20.20.1 255.255.254.0)
PC B - 192.168.50.50 /24 in Vlan B ( Vlan B details - ip address 192.168.50.1 255.255.255.0)

This access list applied on interface on Vlan B

ip access-list extended Test_Network_Vlan
 deny   ip any 10.20.20.0 0.0.1.255
 permit ip any any

using Ping to test

Applying the access-list with the IN command
Traffic gets from PC A to B but not from B back to A and ping fails - as expected
If I ping the other way then traffic simply won't get from B to A in the first place so there is no reply - as expexted.

Applying the access-list with the OUT command
All traffic gets through wherever I ping from.
When pinging frob B to A Packets still have source B dest A and have to cross this access list and
I can't see how they get through.

Same applies the other way, I can see why A's ping request packets get through but the replies source PC-B to PC-A should fail but they don't they just sail through

I must be missing something obvious - can anyone help

Cheers
Jo
0
Comment
Question by:Jo Cox
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20359225
What should be happening:

Inbound on VLANB interface should have no effect on traffic.
Outbound on VLANB interface should block all traffic from A network to B network.

Can you post the actual config?
0
 

Author Comment

by:Jo Cox
ID: 20359501
I think these are the only parts of the config that are relevant

!
interface Vlan200
 description *** Test Network ***
 ip address 192.168.50.1 255.255.255.0
 ip access-group Test_Network_Vlan out     //I have been changing this  IN to OUT during the test
!
!
interface Vlan2
 description ** Staff_LAN **
 ip address 10.20.20.1 255.255.254.0
 !

!
ip access-list extended Test_Network_Vlan
 deny   ip any 10.20.20.0 0.0.1.255
 permit ip any any
!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20359587
The behavior is correct for your access-list. What's the problem?
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:Jo Cox
ID: 20364113
Access list applied outbound on Vlan B
ping From B to A
Traffic still goes through the access list
Source 192.168.50.50 Dest 10.20.20.39

This should hit the deny statement and fail surely?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 2000 total points
ID: 20365519
If the ACL is applied outbound on the VLAN200 interface then traffic from VLAN 200 won't be affected by the ACL as it is inbound traffic on that interface.
0
 

Author Comment

by:Jo Cox
ID: 20394429
That is indeed a a pretty succinct statement that does explain it. Its taken me a while to get my head round this and I have had laptops in both Vlans running wireshark and pinging eachother. I think I have it figured now. Thanks for the help.
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question