Solved

Vlan Access - List confusion

Posted on 2007-11-27
6
4,969 Views
Last Modified: 2013-11-29
Two Pc's in two 2 Vlans
PC A - 10.20.20.39 /23 in Vlan A (Vlan A details - ip address10.20.20.1 255.255.254.0)
PC B - 192.168.50.50 /24 in Vlan B ( Vlan B details - ip address 192.168.50.1 255.255.255.0)

This access list applied on interface on Vlan B

ip access-list extended Test_Network_Vlan
 deny   ip any 10.20.20.0 0.0.1.255
 permit ip any any

using Ping to test

Applying the access-list with the IN command
Traffic gets from PC A to B but not from B back to A and ping fails - as expected
If I ping the other way then traffic simply won't get from B to A in the first place so there is no reply - as expexted.

Applying the access-list with the OUT command
All traffic gets through wherever I ping from.
When pinging frob B to A Packets still have source B dest A and have to cross this access list and
I can't see how they get through.

Same applies the other way, I can see why A's ping request packets get through but the replies source PC-B to PC-A should fail but they don't they just sail through

I must be missing something obvious - can anyone help

Cheers
Jo
0
Comment
Question by:jrb139
  • 3
  • 3
6 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20359225
What should be happening:

Inbound on VLANB interface should have no effect on traffic.
Outbound on VLANB interface should block all traffic from A network to B network.

Can you post the actual config?
0
 

Author Comment

by:jrb139
ID: 20359501
I think these are the only parts of the config that are relevant

!
interface Vlan200
 description *** Test Network ***
 ip address 192.168.50.1 255.255.255.0
 ip access-group Test_Network_Vlan out     //I have been changing this  IN to OUT during the test
!
!
interface Vlan2
 description ** Staff_LAN **
 ip address 10.20.20.1 255.255.254.0
 !

!
ip access-list extended Test_Network_Vlan
 deny   ip any 10.20.20.0 0.0.1.255
 permit ip any any
!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20359587
The behavior is correct for your access-list. What's the problem?
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:jrb139
ID: 20364113
Access list applied outbound on Vlan B
ping From B to A
Traffic still goes through the access list
Source 192.168.50.50 Dest 10.20.20.39

This should hit the deny statement and fail surely?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 20365519
If the ACL is applied outbound on the VLAN200 interface then traffic from VLAN 200 won't be affected by the ACL as it is inbound traffic on that interface.
0
 

Author Comment

by:jrb139
ID: 20394429
That is indeed a a pretty succinct statement that does explain it. Its taken me a while to get my head round this and I have had laptops in both Vlans running wireshark and pinging eachother. I think I have it figured now. Thanks for the help.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question