Unsolved
This post is more than 5 years old
3 Posts
0
7979
May 31st, 2005 20:00
Need help on ACL
I have the following VLANs working as it should.
VLAN 10 (192.168.10.10)
VLAN 20 (192.168.20.10)
VLAN 30 (192.168.30.10)
PC in VLAN 10 on port 3 of 5324
PC in VLAN 20 on port 1 of 5324
PC in VLAN 30 on port 19 of 6024
I need VLAN 10 to not be able to communicate with VLAN 20 but 20 can communicate with 10. They will have IT PCs in 20 that needs to be able to RDP in to any VLANS.
I created the access-lists as follows:
ip access-list "deny1020"
deny any 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 permit any any any
ip access-list "permit2010"
permit any 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 exit
I applied deny1020 to VLAN 20 and no effect. I was able to ping both ways.
I then applied the deny1020 to VLAN 10 and lost communication both ways. I removed the ACL on VLAN 10 and applied permit 2010 on it and lost communication both ways again. All his scenario I am able to get to VLAN 30 which is fine. I also tried rebooting the switch a couple of times but no luck
I apppreciate any replies in advance.
0 events found
DELL-Randy
132 Posts
0
June 29th, 2005 11:00
Keep in mind the ACL configuration is applied as an Ingress filter only. As such, traffic that enters the interface (physical, LAG, or VLAN) must match the criteria in order to be forwarded.
It is possible to configure the ACLs as such that only one-way communication is permitted, however, the flow of traffic must be considered due to the filtering process. Simply permit only the required protocols to the respective destinations and leave the deny statements summarized in the implicit "deny any any any" appended automatically to end of each ACL configuration. Ideally, bind this ACL to an interface as close to the source (in your case the IT PCs) as you can.