Help with VLAN ACL

i have cisco 3750 switches in a stack config

2 vlans
vlan1 - 192.168.0.0
vlan50 - 10.50.0.0

i created an acl and i applied to vlan50 in coming, but i still can ping hosts within vlan50 but i no longer can ping the ip address for vlan50

example, i can still ping 10.50.50.100 but not longer 10.50.50.10(ip address for vlan50) from the 192.168.0.0. network

i verified the port the test pc is on is in vlan50

my acl is:
access-list 100 deny ip any 192.168.0.0 0.0.0.255
access-list 100 permit ip any any

if you can help with the redskins too it would be helptulf
C2_techAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
Your ACL has 192.168.0.0 as the destination.   Seems like you want an ACL going the other way, blocking to a destination of 10.50.0.0.
0
C2_techAuthor Commented:
tried that, getting the same thing

should it be applied to in or out on the vlan int
0
Cisco_CertifiedCommented:
You need to use a VACL; RACLs don't work for this type of filtering.  
Delete your ACL as well as the access group config on your VLAN interface.

Then configure the following:

config t

access-list 100 permit ip any 192.168.0.0 0.0.0.255

vlan access-map deny_vlan1 10
match ip address 100
action drop
vlan access-map deny_vlan1 20
action forward
exit

vlan filter deny_vlan1 vlan-list 50
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

C2_techAuthor Commented:
thanks for your help, but i still can ping the 10.50 network from the 192.168 network
0
Cisco_CertifiedCommented:
try this

delete ACL 100 and configure the following

access-list 100 permit ip 192.168.0.0 0.0.0.255 10.50.0.0 0.0.0.255
access-list 100 permit ip 10.50.0.0 0.0.0.255 192.168.0.0 0.0.0.255
0
Cisco_CertifiedCommented:
Keep the oher configuration though, you are just replacing ACL 100
0
C2_techAuthor Commented:
thank you, but still no luck

!
!
vlan access-map deny_vlan1 10
 match ip address 100
 action drop
vlan access-map deny_vlan1 20
 action forward
!
vlan filter deny_vlan1 vlan-list 50
vlan internal allocation policy ascending
!
!

!
interface Vlan1
 ip address 192.168.20.80 255.255.248.0
!
interface Vlan50
 ip address 10.50.50.10 255.255.255.0
!
ip default-gateway 192.168.20.1
ip http server
ip http secure-server
!
!
ip sla enable reaction-alerts
logging esm config
logging trap notifications
logging 192.168.20.139
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.50.0.0 0.0.0.255
access-list 100 permit ip 10.50.0.0 0.0.0.255 192.168.0.0 0.0.0.255
0
Cisco_CertifiedCommented:
hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm.....


Can you tell me what the source and destination IP address you are using for ping?
0
C2_techAuthor Commented:
i'm pinging from my laptop, which is 192.168.21.61

the test pc i'm pinging on the vlan is 10.50.50.100

i appreciate your help
0
Cisco_CertifiedCommented:
no prob...

Well there's the problem, the subnets you have configured are different then the ones you indicated on your first post.

Just change the ACL again to the following:

access-list 100 permit ip 192.168.16.0 0.0.7.255 10.50.50.0 0.0.0.255
access-list 100 permit ip 10.50.50.0 0.0.0.255 192.168.16.0 0.0.7.255
0
Cisco_CertifiedCommented:
initially, since you didn't provide a subnet mask, I figured you were using /24 subnets.  This should fix your problem.
0
C2_techAuthor Commented:
YOU ARE THE MAN or woman, thank you!!!!!!

i'll buy you a beer if you are ever in dc
0
Cisco_CertifiedCommented:
hahaha, np man.  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
C2_techAuthor Commented:
you are the best
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.