Jo Cox
asked on
Vlan Access - List confusion
Two Pc's in two 2 Vlans
PC A - 10.20.20.39 /23 in Vlan A (Vlan A details - ip address10.20.20.1 255.255.254.0)
PC B - 192.168.50.50 /24 in Vlan B ( Vlan B details - ip address 192.168.50.1 255.255.255.0)
This access list applied on interface on Vlan B
ip access-list extended Test_Network_Vlan
deny ip any 10.20.20.0 0.0.1.255
permit ip any any
using Ping to test
Applying the access-list with the IN command
Traffic gets from PC A to B but not from B back to A and ping fails - as expected
If I ping the other way then traffic simply won't get from B to A in the first place so there is no reply - as expexted.
Applying the access-list with the OUT command
All traffic gets through wherever I ping from.
When pinging frob B to A Packets still have source B dest A and have to cross this access list and
I can't see how they get through.
Same applies the other way, I can see why A's ping request packets get through but the replies source PC-B to PC-A should fail but they don't they just sail through
I must be missing something obvious - can anyone help
Cheers
Jo
PC A - 10.20.20.39 /23 in Vlan A (Vlan A details - ip address10.20.20.1 255.255.254.0)
PC B - 192.168.50.50 /24 in Vlan B ( Vlan B details - ip address 192.168.50.1 255.255.255.0)
This access list applied on interface on Vlan B
ip access-list extended Test_Network_Vlan
deny ip any 10.20.20.0 0.0.1.255
permit ip any any
using Ping to test
Applying the access-list with the IN command
Traffic gets from PC A to B but not from B back to A and ping fails - as expected
If I ping the other way then traffic simply won't get from B to A in the first place so there is no reply - as expexted.
Applying the access-list with the OUT command
All traffic gets through wherever I ping from.
When pinging frob B to A Packets still have source B dest A and have to cross this access list and
I can't see how they get through.
Same applies the other way, I can see why A's ping request packets get through but the replies source PC-B to PC-A should fail but they don't they just sail through
I must be missing something obvious - can anyone help
Cheers
Jo
ASKER
I think these are the only parts of the config that are relevant
!
interface Vlan200
description *** Test Network ***
ip address 192.168.50.1 255.255.255.0
ip access-group Test_Network_Vlan out //I have been changing this IN to OUT during the test
!
!
interface Vlan2
description ** Staff_LAN **
ip address 10.20.20.1 255.255.254.0
!
!
ip access-list extended Test_Network_Vlan
deny ip any 10.20.20.0 0.0.1.255
permit ip any any
!
!
interface Vlan200
description *** Test Network ***
ip address 192.168.50.1 255.255.255.0
ip access-group Test_Network_Vlan out //I have been changing this IN to OUT during the test
!
!
interface Vlan2
description ** Staff_LAN **
ip address 10.20.20.1 255.255.254.0
!
!
ip access-list extended Test_Network_Vlan
deny ip any 10.20.20.0 0.0.1.255
permit ip any any
!
The behavior is correct for your access-list. What's the problem?
ASKER
Access list applied outbound on Vlan B
ping From B to A
Traffic still goes through the access list
Source 192.168.50.50 Dest 10.20.20.39
This should hit the deny statement and fail surely?
ping From B to A
Traffic still goes through the access list
Source 192.168.50.50 Dest 10.20.20.39
This should hit the deny statement and fail surely?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That is indeed a a pretty succinct statement that does explain it. Its taken me a while to get my head round this and I have had laptops in both Vlans running wireshark and pinging eachother. I think I have it figured now. Thanks for the help.
Inbound on VLANB interface should have no effect on traffic.
Outbound on VLANB interface should block all traffic from A network to B network.
Can you post the actual config?