Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1404
  • Last Modified:

VLAN access-lists in HSRP based core-switches

HI ,

My scenario is as follows:

a) We have two cisco-4506E switches and HSRP configured between them
b) HSRP configured for both VLAN 120 and VLAN 140 in both core-switches
c) VLAN 120 and VLAN 140 are in both core-switches
d) For VLAN 120, Core-A is Master and Cored-B is standby
e) For VLAN 140, Core-B is Master and Core-A is Standby
f) IP routing is enabled

Requirement :
1) I would like to configure access-lists
2) VLAN 120 users should get ping response from VLAN 140 users and vice versa
3) Remaining services / ports should be blocked

Inputs :
VLAN 120 Network : 192.168.120/24
VLAN 140 Network : 192.168.140.0/24


I have configured  & applied to  VLANs as below in both core-A and Core B switches simillarly
................................................................................
access-list 120 permit icmp 192.168.120.0 0.0.0.255 192.168.140.0 0.0.0.255
access-list 120 deny any any

interface vlan 120
ip access-group 120 in
.................................................................................

access-list 140 permit icmp 192.168.140.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 140 deny any any

interface vlan 140
ip access-group 140 in

.....................................................................................


Questions :

a)with the above configuration , can i get the Ping response from both side simultaneously

b) What willl happen if i say " ip access-group vlan 120 out and ip access-group vlan 140 out"

c) what is difference between in and out commands

Pls clarify
0
RAMU CH
Asked:
RAMU CH
  • 2
  • 2
1 Solution
 
Don JohnstonInstructorCommented:
a) Yes
b) No traffic will be allowed.
c) The direction the ACL is applied. Meaning, which traffic is being tested. With "in", only traffic entering the VLAN interface is checked against the ACL. So in the case of "ip access-group 120 in" on the VLAN 120 interface, traffic leaving VLAN 120 (and entering the VLAN 120 interface) will be checked against ACL 120.  If it were applied outbound, then traffic leaving the VLAN 120 interface going towards VLAN 120 would be checked.
0
 
RAMU CHAuthor Commented:
Thanks for the reply..

Means , if "in" applies , then source IP address should be other vlan network range ?

For VLAN 120 Network , is the access-list should be as follows

access-list 120 permit icmp 192.168.140.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 120 deny any any


interface vlan 120
ip access-group 120 in

Regards
Ram
0
 
Don JohnstonInstructorCommented:
No. The direction is relative to the interface.

Think of yourself as the routing engine. You have "interfaces" that connect to various networks (i.e. your VLAN 120 interface connects to the 192.168.120.0 network).

Traffic coming from the 192.168.120.0 network will be coming IN your VLAN 120 interface. Traffic that you send to the 192.168.120.0 network will be going OUT your VLAN 120 interface.

Does that make sense?
0
 
RAMU CHAuthor Commented:
Tks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now