[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4980
  • Last Modified:

Vlan Access - List confusion

Two Pc's in two 2 Vlans
PC A - 10.20.20.39 /23 in Vlan A (Vlan A details - ip address10.20.20.1 255.255.254.0)
PC B - 192.168.50.50 /24 in Vlan B ( Vlan B details - ip address 192.168.50.1 255.255.255.0)

This access list applied on interface on Vlan B

ip access-list extended Test_Network_Vlan
 deny   ip any 10.20.20.0 0.0.1.255
 permit ip any any

using Ping to test

Applying the access-list with the IN command
Traffic gets from PC A to B but not from B back to A and ping fails - as expected
If I ping the other way then traffic simply won't get from B to A in the first place so there is no reply - as expexted.

Applying the access-list with the OUT command
All traffic gets through wherever I ping from.
When pinging frob B to A Packets still have source B dest A and have to cross this access list and
I can't see how they get through.

Same applies the other way, I can see why A's ping request packets get through but the replies source PC-B to PC-A should fail but they don't they just sail through

I must be missing something obvious - can anyone help

Cheers
Jo
0
Jo Cox
Asked:
Jo Cox
  • 3
  • 3
1 Solution
 
Don JohnstonInstructorCommented:
What should be happening:

Inbound on VLANB interface should have no effect on traffic.
Outbound on VLANB interface should block all traffic from A network to B network.

Can you post the actual config?
0
 
Jo CoxAuthor Commented:
I think these are the only parts of the config that are relevant

!
interface Vlan200
 description *** Test Network ***
 ip address 192.168.50.1 255.255.255.0
 ip access-group Test_Network_Vlan out     //I have been changing this  IN to OUT during the test
!
!
interface Vlan2
 description ** Staff_LAN **
 ip address 10.20.20.1 255.255.254.0
 !

!
ip access-list extended Test_Network_Vlan
 deny   ip any 10.20.20.0 0.0.1.255
 permit ip any any
!
0
 
Don JohnstonInstructorCommented:
The behavior is correct for your access-list. What's the problem?
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Jo CoxAuthor Commented:
Access list applied outbound on Vlan B
ping From B to A
Traffic still goes through the access list
Source 192.168.50.50 Dest 10.20.20.39

This should hit the deny statement and fail surely?
0
 
Don JohnstonInstructorCommented:
If the ACL is applied outbound on the VLAN200 interface then traffic from VLAN 200 won't be affected by the ACL as it is inbound traffic on that interface.
0
 
Jo CoxAuthor Commented:
That is indeed a a pretty succinct statement that does explain it. Its taken me a while to get my head round this and I have had laptops in both Vlans running wireshark and pinging eachother. I think I have it figured now. Thanks for the help.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now