• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 543
  • Last Modified:

Help with VLAN ACL

i have cisco 3750 switches in a stack config

2 vlans
vlan1 - 192.168.0.0
vlan50 - 10.50.0.0

i created an acl and i applied to vlan50 in coming, but i still can ping hosts within vlan50 but i no longer can ping the ip address for vlan50

example, i can still ping 10.50.50.100 but not longer 10.50.50.10(ip address for vlan50) from the 192.168.0.0. network

i verified the port the test pc is on is in vlan50

my acl is:
access-list 100 deny ip any 192.168.0.0 0.0.0.255
access-list 100 permit ip any any

if you can help with the redskins too it would be helptulf
0
C2_tech
Asked:
C2_tech
  • 7
  • 6
1 Solution
 
John MeggersNetwork ArchitectCommented:
Your ACL has 192.168.0.0 as the destination.   Seems like you want an ACL going the other way, blocking to a destination of 10.50.0.0.
0
 
C2_techAuthor Commented:
tried that, getting the same thing

should it be applied to in or out on the vlan int
0
 
Cisco_CertifiedCommented:
You need to use a VACL; RACLs don't work for this type of filtering.  
Delete your ACL as well as the access group config on your VLAN interface.

Then configure the following:

config t

access-list 100 permit ip any 192.168.0.0 0.0.0.255

vlan access-map deny_vlan1 10
match ip address 100
action drop
vlan access-map deny_vlan1 20
action forward
exit

vlan filter deny_vlan1 vlan-list 50
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
C2_techAuthor Commented:
thanks for your help, but i still can ping the 10.50 network from the 192.168 network
0
 
Cisco_CertifiedCommented:
try this

delete ACL 100 and configure the following

access-list 100 permit ip 192.168.0.0 0.0.0.255 10.50.0.0 0.0.0.255
access-list 100 permit ip 10.50.0.0 0.0.0.255 192.168.0.0 0.0.0.255
0
 
Cisco_CertifiedCommented:
Keep the oher configuration though, you are just replacing ACL 100
0
 
C2_techAuthor Commented:
thank you, but still no luck

!
!
vlan access-map deny_vlan1 10
 match ip address 100
 action drop
vlan access-map deny_vlan1 20
 action forward
!
vlan filter deny_vlan1 vlan-list 50
vlan internal allocation policy ascending
!
!

!
interface Vlan1
 ip address 192.168.20.80 255.255.248.0
!
interface Vlan50
 ip address 10.50.50.10 255.255.255.0
!
ip default-gateway 192.168.20.1
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
logging esm config
logging trap notifications
logging 192.168.20.139
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.50.0.0 0.0.0.255
access-list 100 permit ip 10.50.0.0 0.0.0.255 192.168.0.0 0.0.0.255
0
 
Cisco_CertifiedCommented:
hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.....


Can you tell me what the source and destination IP address you are using for ping?
0
 
C2_techAuthor Commented:
i'm pinging from my laptop, which is 192.168.21.61

the test pc i'm pinging on the vlan is 10.50.50.100

i appreciate your help
0
 
Cisco_CertifiedCommented:
no prob...

Well there's the problem, the subnets you have configured are different then the ones you indicated on your first post.

Just change the ACL again to the following:

access-list 100 permit ip 192.168.16.0 0.0.7.255 10.50.50.0 0.0.0.255
access-list 100 permit ip 10.50.50.0 0.0.0.255 192.168.16.0 0.0.7.255
0
 
Cisco_CertifiedCommented:
initially, since you didn't provide a subnet mask, I figured you were using /24 subnets.  This should fix your problem.
0
 
C2_techAuthor Commented:
YOU ARE THE MAN or woman, thank you!!!!!!

i'll buy you a beer if you are ever in dc
0
 
Cisco_CertifiedCommented:
hahaha, np man.  
0
 
C2_techAuthor Commented:
you are the best
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now