Backwards ACL 3750 1

[burtsbees]

I have several VLANs configured in a 3750 (collapsed core). The two I am concerned with in this question are vlan 10 and vlan 30.

int vlan 10
ip add 10.100.10.254 255.255.255.0
ip access-group 101 in
ip access-group 110 out
!
int vlan 30
ip add 10.100.30.253 255.255.255.0
ip access-group 103 in
ip[ access-group 130 out
!
ip access-list extended 101
deny udp any any eq 0
deny tcp any any eq 0
!
ip access-list extended 110
blablabla
!
ip access-list extended 130
deny ip any 10.100.10.0 0.0.0.255
permit ip any any

Now acl 130 is supposed to drop packets from a vlan 30 computer destined for a computer in vlan 10. Well, that does not work.
I tried a line on acl 101
deny ip 10.100.30.0 0.0.0.255 any
Still, vlan 30 computers can access vlan 10. So then I tried one line before the previous in acl 101
deny ip any 10.100.30.0 0.0.0.255
That works. WTH???

An access-list is supposed to work from-to, not to-from

access-list 130 deny ip any 10.100.10.0 0.0.0.255 is supposed to say "deny ip from any to 10.100.10.0 0.0.0.255", and outbound on vlan 30, that means "drop any packets from anything behind me (vlan 30) to vlan 10...right? But then why does it not work, but an acl that is to-from works???

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[burtsbees]

Oops---there is a permit ip any any after each acl. Also, the lines I tried adding were put first, before any other lines (ip access-list extended 130, from glob conf, then the lower sequence numbers, yadayadayada...).

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[vipergg]

Tek-Tips Forums
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS
Hi vipergg
Subscribe To Forums
Tek-Tips Groups
Browse Forums
Jobs
My Threads
My Replies
My Thread Archive
My FAQ Archive
Forum List
Keyword Search
My Info
Personal Profile
Tell A Friend
Whitepapers
Log Out
My Threadminder
Activity since last visit
Remove forum(s) from list
MIS/IT
Bay (Nortel) Networks: Optivity
Cisco Systems: CiscoWorks2000
Network General: Sniffer
OpenOffice.org: Open Source Office Suite
Zone Labs: ZoneAlarm
Communications Rack
Cisco: Routers
Cisco: Switches
Compatible networking solutions
Extreme Networks networking solutions
Foundry Networks solutions
HP: ProCurve networking solutions
Linksys networking solutions
Nortel networking solutions
Data Transmission
Dial-up
DSL / xDSL
Ethernet
SNMP Simple Network Management Protocol
TCP/IP
Wireless Data and Devices
Wiring Closet
Avaya: DEFINITY systems
Avaya: IP Office
Desktop Hardware
PC hardware - General discussion
Desktop Software
Browser issues for IT professionals
Microsoft: Windows 95/98
Certification and Testing
Cisco certification and testing
Feedback
"...I am so glad that I found your site, it is an excellent resource and has helped me greatly..."
More...
Geography
Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Advanced Search
Home > Forums > Communications Rack > Networking > Cisco: Routers Forum
Backwards ACL 3750
thread557-1579037
Forum Search FAQs Links Jobs Whitepapers Forum MVPs
Read
New Posts Reply To
This Thread Start A
New Thread e-mail
E-mail It print
Print Next
Thread
burtsbees (Programmer)
13 Nov 09 19:33
I have several VLANs configured in a 3750 (collapsed core). The two I am concerned with in this question are vlan 10 and vlan 30.

int vlan 10
ip add 10.100.10.254 255.255.255.0
ip access-group 101 in
ip access-group 110 out
!
int vlan 30
ip add 10.100.30.253 255.255.255.0
ip access-group 103 in
ip[ access-group 130 out
!
ip access-list extended 101
deny udp any any eq 0
deny tcp any any eq 0
!
ip access-list extended 110
blablabla
!
ip access-list extended 130
deny ip any 10.100.10.0 0.0.0.255
permit ip any any

Now acl 130 is supposed to drop packets from a vlan 30 computer destined for a computer in vlan 10. Well, that does not work.
I tried a line on acl 101
deny ip 10.100.30.0 0.0.0.255 any
Still, vlan 30 computers can access vlan 10. So then I tried one line before the previous in acl 101
deny ip any 10.100.30.0 0.0.0.255
That works. WTH???

An access-list is supposed to work from-to, not to-from

access-list 130 deny ip any 10.100.10.0 0.0.0.255 is supposed to say "deny ip from any to 10.100.10.0 0.0.0.255", and outbound on vlan 30, that means "drop any packets from anything behind me (vlan 30) to vlan 10...right? But then why does it not work, but an acl that is to-from works???

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

Thank burtsbees
for this valuable post!


Inappropriate post?
If so, Red Flag it!


Check out the FAQ
area for this forum!

New Postvipergg (MIS)
14 Nov 09 17:21
An ACL is written in the syntax source <mask> destination <mask> . ACL outbound means toward vlan 30 devices so it would have to read
access-list 130 deny ip 10.100.10.0 0.0.0.255 any
access-list 130 permit ip any any

I think you may be getting your inbound and outbound syntax's mixed up .

inbound = traffic coming from the subnet to the router interface.
outbound = traffic coming from the router towards devices on the subnet.

If you are trying to deny traffic from vlan 30 to vlan 10 then you would apply the acl "inbound" on vlaN 30 thus it should use vlan 103, add a statement to vlan 103

access-list 103 deny ip any 10.100.10.0 0.0.0.255
permit ip any any

acl 101 would work if you add the statement "deny ip any 10.100.30.0 0.0.0.255 " , this is telling you deny any ip packet destined for the 10.100.30.0 . This is applied to the inbound acl on 10 which is correct so basically it says deny any packet (10.100.10.0) from going to 10.100.30.0 .

 

[vipergg]

Sorry don't know how the extra stuff got in there after cutting and pasting.

An ACL is written in the syntax source <mask> destination <mask> . ACL outbound means toward vlan 30 devices so it would have to read
access-list 130 deny ip 10.100.10.0 0.0.0.255 any
access-list 130 permit ip any any

I think you may be getting your inbound and outbound syntax's mixed up .

inbound = traffic coming from the subnet to the router interface.
outbound = traffic coming from the router towards devices on the subnet.

If you are trying to deny traffic from vlan 30 to vlan 10 then you would apply the acl "inbound" on vlaN 30 thus it should use vlan 103, add a statement to vlan 103

access-list 103 deny ip any 10.100.10.0 0.0.0.255
permit ip any any

acl 101 would work if you add the statement "deny ip any 10.100.30.0 0.0.0.255 " , this is telling you deny any ip packet destined for the 10.100.30.0 . This is applied to the inbound acl on 10 which is correct so basically it says deny any packet (10.100.10.0) from going to 10.100.30.0 .

 

[burtsbees]

That is exactly what I was doing. I figured it was the other way around in a L3 switch, i.e. the destination was the nodes on the LAN. Thanks for clearing that up.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!