Solved

Vlan Access - List confusion

Posted on 2007-11-27
6
4,971 Views
Last Modified: 2013-11-29
Two Pc's in two 2 Vlans
PC A - 10.20.20.39 /23 in Vlan A (Vlan A details - ip address10.20.20.1 255.255.254.0)
PC B - 192.168.50.50 /24 in Vlan B ( Vlan B details - ip address 192.168.50.1 255.255.255.0)

This access list applied on interface on Vlan B

ip access-list extended Test_Network_Vlan
 deny   ip any 10.20.20.0 0.0.1.255
 permit ip any any

using Ping to test

Applying the access-list with the IN command
Traffic gets from PC A to B but not from B back to A and ping fails - as expected
If I ping the other way then traffic simply won't get from B to A in the first place so there is no reply - as expexted.

Applying the access-list with the OUT command
All traffic gets through wherever I ping from.
When pinging frob B to A Packets still have source B dest A and have to cross this access list and
I can't see how they get through.

Same applies the other way, I can see why A's ping request packets get through but the replies source PC-B to PC-A should fail but they don't they just sail through

I must be missing something obvious - can anyone help

Cheers
Jo
0
Comment
Question by:jrb139
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20359225
What should be happening:

Inbound on VLANB interface should have no effect on traffic.
Outbound on VLANB interface should block all traffic from A network to B network.

Can you post the actual config?
0
 

Author Comment

by:jrb139
ID: 20359501
I think these are the only parts of the config that are relevant

!
interface Vlan200
 description *** Test Network ***
 ip address 192.168.50.1 255.255.255.0
 ip access-group Test_Network_Vlan out     //I have been changing this  IN to OUT during the test
!
!
interface Vlan2
 description ** Staff_LAN **
 ip address 10.20.20.1 255.255.254.0
 !

!
ip access-list extended Test_Network_Vlan
 deny   ip any 10.20.20.0 0.0.1.255
 permit ip any any
!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 20359587
The behavior is correct for your access-list. What's the problem?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:jrb139
ID: 20364113
Access list applied outbound on Vlan B
ping From B to A
Traffic still goes through the access list
Source 192.168.50.50 Dest 10.20.20.39

This should hit the deny statement and fail surely?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 20365519
If the ACL is applied outbound on the VLAN200 interface then traffic from VLAN 200 won't be affected by the ACL as it is inbound traffic on that interface.
0
 

Author Comment

by:jrb139
ID: 20394429
That is indeed a a pretty succinct statement that does explain it. Its taken me a while to get my head round this and I have had laptops in both Vlans running wireshark and pinging eachother. I think I have it figured now. Thanks for the help.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question