Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Backwards ACL 3750 1

Status
Not open for further replies.
burtsbees

burtsbees

Programmer
Jan 29, 2007
7,657
US
I have several VLANs configured in a 3750 (collapsed core). The two I am concerned with in this question are vlan 10 and vlan 30.

int vlan 10
ip add 10.100.10.254 255.255.255.0
ip access-group 101 in
ip access-group 110 out
!
int vlan 30
ip add 10.100.30.253 255.255.255.0
ip access-group 103 in
ip[ access-group 130 out
!
ip access-list extended 101
deny udp any any eq 0
deny tcp any any eq 0
!
ip access-list extended 110
blablabla
!
ip access-list extended 130
deny ip any 10.100.10.0 0.0.0.255
permit ip any any

Now acl 130 is supposed to drop packets from a vlan 30 computer destined for a computer in vlan 10. Well, that does not work.
I tried a line on acl 101
deny ip 10.100.30.0 0.0.0.255 any
Still, vlan 30 computers can access vlan 10. So then I tried one line before the previous in acl 101
deny ip any 10.100.30.0 0.0.0.255
That works. WTH???

An access-list is supposed to work from-to, not to-from

access-list 130 deny ip any 10.100.10.0 0.0.0.255 is supposed to say "deny ip from any to 10.100.10.0 0.0.0.255", and outbound on vlan 30, that means "drop any packets from anything behind me (vlan 30) to vlan 10...right? But then why does it not work, but an acl that is to-from works???

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Sort by date Sort by votes
An ACL is written in the syntax source <mask> destination <mask> . ACL outbound means toward vlan 30 devices so it would have to read
access-list 130 deny ip 10.100.10.0 0.0.0.255 any
access-list 130 permit ip any any

I think you may be getting your inbound and outbound syntax's mixed up .

inbound = traffic coming from the subnet to the router interface.
outbound = traffic coming from the router towards devices on the subnet.

If you are trying to deny traffic from vlan 30 to vlan 10 then you would apply the acl "inbound" on vlaN 30 thus it should use vlan 103, add a statement to vlan 103

access-list 103 deny ip any 10.100.10.0 0.0.0.255
permit ip any any

acl 101 would work if you add the statement "deny ip any 10.100.30.0 0.0.0.255 " , this is telling you deny any ip packet destined for the 10.100.30.0 . This is applied to the inbound acl on 10 which is correct so basically it says deny any packet (10.100.10.0) from going to 10.100.30.0 .
 
Upvote 0 Downvote
That is true---I got the outbound and inbound mixed up. I was overcomplicating the layer 3 switch acl's...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
190
burtsbees
burtsbees
atascoman
  • Locked
  • Question
3750 to 3850 QoS commands
Replies
1
Views
227
ADB100
ADB100
acabezas2014
  • Locked
  • Question
Create ACL for ip range
Replies
2
Views
166
acabezas2014
acabezas2014
rmartinezv82
  • Locked
  • Question
Issue with port not have comunication Switch 3750X
Replies
1
Views
132
burtsbees
burtsbees
mattbarkerlfc
  • Locked
  • Question
Cisco 3750 connected to a NETGEAR ProSAFE GS748T
Replies
1
Views
131
imbadatthis
imbadatthis

Part and Inventory Search

Sponsor

Back
Top