Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VLAN access-lists in HSRP based core-switches

Posted on 2013-02-07
4
Medium Priority
?
1,354 Views
Last Modified: 2013-02-27
HI ,

My scenario is as follows:

a) We have two cisco-4506E switches and HSRP configured between them
b) HSRP configured for both VLAN 120 and VLAN 140 in both core-switches
c) VLAN 120 and VLAN 140 are in both core-switches
d) For VLAN 120, Core-A is Master and Cored-B is standby
e) For VLAN 140, Core-B is Master and Core-A is Standby
f) IP routing is enabled

Requirement :
1) I would like to configure access-lists
2) VLAN 120 users should get ping response from VLAN 140 users and vice versa
3) Remaining services / ports should be blocked

Inputs :
VLAN 120 Network : 192.168.120/24
VLAN 140 Network : 192.168.140.0/24


I have configured  & applied to  VLANs as below in both core-A and Core B switches simillarly
................................................................................
access-list 120 permit icmp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255
access-list 120 deny any any

interface vlan 120
ip access-group 120 in
.................................................................................

access-list 140 permit icmp 192.168.140.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 140 deny any any

interface vlan 140
ip access-group 140 in

.....................................................................................


Questions :

a)with the above configuration , can i get the Ping response from both side simultaneously

b) What willl happen if i say " ip access-group vlan 120 out and ip access-group vlan 140 out"

c) what is difference between in and out commands

Pls clarify
0
Comment
Question by:RAMU CH
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 38863920
a) Yes
b) No traffic will be allowed.
c) The direction the ACL is applied. Meaning, which traffic is being tested. With "in", only traffic entering the VLAN interface is checked against the ACL. So in the case of "ip access-group 120 in" on the VLAN 120 interface, traffic leaving VLAN 120 (and entering the VLAN 120 interface) will be checked against ACL 120.  If it were applied outbound, then traffic leaving the VLAN 120 interface going towards VLAN 120 would be checked.
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 38866993
Thanks for the reply..

Means , if "in" applies , then source IP address should be other vlan network range ?

For VLAN 120 Network , is the access-list should be as follows

access-list 120 permit icmp 192.168.140.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 120 deny any any


interface vlan 120
ip access-group 120 in

Regards
Ram
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 1500 total points
ID: 38868971
No. The direction is relative to the interface.

Think of yourself as the routing engine. You have "interfaces" that connect to various networks (i.e. your VLAN 120 interface connects to the 192.168.120.0 network).

Traffic coming from the 192.168.120.0 network will be coming IN your VLAN 120 interface. Traffic that you send to the 192.168.120.0 network will be going OUT your VLAN 120 interface.

Does that make sense?
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 38933578
Tks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Many times we come across a slowness or instability between two hosts, and almost always we blame the poor networking guys, just because they're an easy target.  Sometimes we forget that other factors including disk bottlenecks, CPU …
Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question