VLAN access-lists in HSRP based core-switches
HI ,
My scenario is as follows:
a) We have two cisco-4506E switches and HSRP configured between them
b) HSRP configured for both VLAN 120 and VLAN 140 in both core-switches
c) VLAN 120 and VLAN 140 are in both core-switches
d) For VLAN 120, Core-A is Master and Cored-B is standby
e) For VLAN 140, Core-B is Master and Core-A is Standby
f) IP routing is enabled
Requirement :
1) I would like to configure access-lists
2) VLAN 120 users should get ping response from VLAN 140 users and vice versa
3) Remaining services / ports should be blocked
Inputs :
VLAN 120 Network : 192.168.120/24
VLAN 140 Network : 192.168.140.0/24
I have configured & applied to VLANs as below in both core-A and Core B switches simillarly
..........................
access-list 120 permit icmp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255
access-list 120 deny any any
interface vlan 120
ip access-group 120 in
..........................
access-list 140 permit icmp 192.168.140.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 140 deny any any
interface vlan 140
ip access-group 140 in
..........................
Questions :
a)with the above configuration , can i get the Ping response from both side simultaneously
b) What willl happen if i say " ip access-group vlan 120 out and ip access-group vlan 140 out"
c) what is difference between in and out commands
Pls clarify
My scenario is as follows:
a) We have two cisco-4506E switches and HSRP configured between them
b) HSRP configured for both VLAN 120 and VLAN 140 in both core-switches
c) VLAN 120 and VLAN 140 are in both core-switches
d) For VLAN 120, Core-A is Master and Cored-B is standby
e) For VLAN 140, Core-B is Master and Core-A is Standby
f) IP routing is enabled
Requirement :
1) I would like to configure access-lists
2) VLAN 120 users should get ping response from VLAN 140 users and vice versa
3) Remaining services / ports should be blocked
Inputs :
VLAN 120 Network : 192.168.120/24
VLAN 140 Network : 192.168.140.0/24
I have configured & applied to VLANs as below in both core-A and Core B switches simillarly
..........................
access-list 120 permit icmp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255
access-list 120 deny any any
interface vlan 120
ip access-group 120 in
..........................
access-list 140 permit icmp 192.168.140.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 140 deny any any
interface vlan 140
ip access-group 140 in
..........................
Questions :
a)with the above configuration , can i get the Ping response from both side simultaneously
b) What willl happen if i say " ip access-group vlan 120 out and ip access-group vlan 140 out"
c) what is difference between in and out commands
Pls clarify
ASKER
Thanks for the reply..
Means , if "in" applies , then source IP address should be other vlan network range ?
For VLAN 120 Network , is the access-list should be as follows
access-list 120 permit icmp 192.168.140.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 120 deny any any
interface vlan 120
ip access-group 120 in
Regards
Ram
Means , if "in" applies , then source IP address should be other vlan network range ?
For VLAN 120 Network , is the access-list should be as follows
access-list 120 permit icmp 192.168.140.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 120 deny any any
interface vlan 120
ip access-group 120 in
Regards
Ram
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tks
b) No traffic will be allowed.
c) The direction the ACL is applied. Meaning, which traffic is being tested. With "in", only traffic entering the VLAN interface is checked against the ACL. So in the case of "ip access-group 120 in" on the VLAN 120 interface, traffic leaving VLAN 120 (and entering the VLAN 120 interface) will be checked against ACL 120. If it were applied outbound, then traffic leaving the VLAN 120 interface going towards VLAN 120 would be checked.