akalbfell
asked on
Cisco 6500 Vlan Access List
I have about 5 vlans but for two of them, 101 and 102, i want to restrict the traffic so traffic coming from each of those, can only go to the other. So vlan 101 and 102 can communicate with each other but neither can communicate with 66,77,88.
The Vlan101 network is 10.170.1.0/24 and the Vlan102 network is 10.171.1.0/24
I tried using the following access-lists but all traffic is blocked
(Apply this ACL to the Vlan101 interface, dirction in)
ip access-list standard IN101
permit 10.171.0.0 0.255.255.255
(Apply this ACL to the Vlan102 interface, direction in)
ip access-list standard IN102
permit 10.170.0.0 0.255.255.255
What am I doing wrong that all traffic in and out of those vlans gets blocked?
The Vlan101 network is 10.170.1.0/24 and the Vlan102 network is 10.171.1.0/24
I tried using the following access-lists but all traffic is blocked
(Apply this ACL to the Vlan101 interface, dirction in)
ip access-list standard IN101
permit 10.171.0.0 0.255.255.255
(Apply this ACL to the Vlan102 interface, direction in)
ip access-list standard IN102
permit 10.170.0.0 0.255.255.255
What am I doing wrong that all traffic in and out of those vlans gets blocked?
ASKER
To your points...
That was a typo when i typed the config on here. On the device the access list is correct. 0.0.0.255 for wildcard
I do get hits on the permit statement when running constant pings but the pings fail. If i remove the ACL's from the interfaces pings resume again.
ACL's are applid as follows
int vlan101
ip access-group IN101 in
int vlan102
ip access-group IN102 in
That was a typo when i typed the config on here. On the device the access list is correct. 0.0.0.255 for wildcard
I do get hits on the permit statement when running constant pings but the pings fail. If i remove the ACL's from the interfaces pings resume again.
ACL's are applid as follows
int vlan101
ip access-group IN101 in
int vlan102
ip access-group IN102 in
ASKER
Just to clarify here is what I get, I added a deny any log at the end so we could see that
show ip-access lists
standard ip access list IN101
permit 10.171.1.0 wildcard bits 0.0.0.255 log check=143
deny any log (35 matches)
standard ip acceess list IN102
permit 10.170.1.0 wildcard bits 0.0.0.255 log check=101
deny any log (9 matches)
show ip-access lists
standard ip access list IN101
permit 10.171.1.0 wildcard bits 0.0.0.255 log check=143
deny any log (35 matches)
standard ip acceess list IN102
permit 10.170.1.0 wildcard bits 0.0.0.255 log check=101
deny any log (9 matches)
Standard access-lists match the source, not the destination - so in your case you are telling VLAN 101 to permit traffic from 10.171.1.0 to be routed out of the VLAN, but deny everything else, same with VLAN 101 but matching 10.170.1.0
Change:
int vlan101
ip access-group IN101 in
int vlan102
ip access-group IN102 in
To:
int vlan101
ip access-group IN101 out
int vlan102
ip access-group IN102 out
or use extended/numbered access-lists
Change:
int vlan101
ip access-group IN101 in
int vlan102
ip access-group IN102 in
To:
int vlan101
ip access-group IN101 out
int vlan102
ip access-group IN102 out
or use extended/numbered access-lists
ASKER
Sorry I am confused. I am only matching the source. I also tried using an extended list, doesnt help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
permit 10.171.1.0 0.0.0.255 & permit 10.170.1.0 0.0.0.255
Do a show access-lists and see if your permit statement is hitting. It will have a log at the end of each permit statement with the number of times it's been applied to traffic.
then you mention having the ip access-group IN101 in statement applied to the vlan interface but I don't see that code snipit.