Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco 6500 Vlan Access List

Posted on 2012-08-30
7
Medium Priority
?
1,349 Views
Last Modified: 2012-08-30
I have about 5 vlans but for two of them, 101 and 102, i want to restrict the traffic so traffic coming from each of those, can only go to the other. So vlan 101 and 102 can communicate with each other but neither can communicate with 66,77,88.

The Vlan101 network is 10.170.1.0/24 and the Vlan102 network is 10.171.1.0/24

I tried using the following access-lists but all traffic is blocked

(Apply this ACL to the Vlan101 interface, dirction in)
ip access-list standard IN101
permit 10.171.0.0 0.255.255.255


(Apply this ACL to the Vlan102 interface, direction in)
ip access-list standard IN102
permit 10.170.0.0 0.255.255.255


What am I doing wrong that all traffic in and out of those vlans gets blocked?
0
Comment
Question by:akalbfell
  • 4
  • 2
7 Comments
 
LVL 5

Expert Comment

by:dallensworth
ID: 38350505
For what your wanting to do I think you should alter your mask to the following otherwise your allowing 10. traffic:

permit 10.171.1.0 0.0.0.255  & permit 10.170.1.0 0.0.0.255

Do a show access-lists and see if your permit statement is hitting.  It will have a log at the end of each permit statement with the number of times it's been applied to traffic.

then you mention having the ip access-group IN101 in statement applied to the vlan interface but I don't see that code snipit.
0
 
LVL 8

Author Comment

by:akalbfell
ID: 38350684
To your points...

That was a typo when i typed the config on here. On the device the access list is correct. 0.0.0.255 for wildcard

I do get hits on the permit statement when running constant pings but the pings fail. If i remove the ACL's from the interfaces pings resume again.

ACL's are applid as follows
int vlan101
ip access-group IN101 in

int vlan102
ip access-group IN102 in
0
 
LVL 8

Author Comment

by:akalbfell
ID: 38350714
Just to clarify here is what I get, I added a deny any log at the end so we could see that



show ip-access lists
standard ip access list IN101
     permit 10.171.1.0 wildcard bits 0.0.0.255 log check=143
     deny any log (35 matches)
standard ip acceess list IN102
     permit 10.170.1.0 wildcard bits 0.0.0.255 log check=101
    deny any log (9 matches)
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 2

Expert Comment

by:Sepist
ID: 38351138
Standard access-lists match the source, not the destination - so in your case you are telling VLAN 101 to permit traffic from 10.171.1.0 to be routed out of the VLAN, but deny everything else, same with VLAN 101 but matching 10.170.1.0

Change:

int vlan101
ip access-group IN101 in

int vlan102
ip access-group IN102 in

To:

int vlan101
ip access-group IN101 out

int vlan102
ip access-group IN102 out


or use extended/numbered access-lists
0
 
LVL 8

Author Comment

by:akalbfell
ID: 38351400
Sorry I am confused. I am only matching the source. I also tried using an extended list, doesnt help.
0
 
LVL 2

Accepted Solution

by:
Sepist earned 2000 total points
ID: 38351432
If you change the config to this:

int vlan101
ip access-group IN101 out

Packets matching 10.171.1.0/24 will be allowed out to VLAN 101

and this:

int vlan102
ip access-group IN102 out

will match packets 10.170.1.0/24 going out to VLAN 102
0
 
LVL 8

Author Closing Comment

by:akalbfell
ID: 38351487
thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question