VLAN and access-list 1

[Netomaniac]

Guys,

Will this cause routing issue. The Y named VLAN has subnetmask of xxx.xxx.202.0/25 and the access-list created for the same Y VLAN is xxx.xxx.202.0/26.

The subnet mask created are different.

But the IP address used in the LAYER 3 Switch from these VLAN's are xxx.xxx.202.1/25 and xxx.xxx.202.2/25

Neto...............

 

[burtsbees]

Yes---the /26 defines hosts in .1 thru .63, and even though the /25 mask covers more hosts (hosts .1 thru .127), the IP addresses fall under the acl rule, because it resides in the same subnet. The solution would be to rewrite the acl so that it covered x.x.202.64 0.0.0.63---that way, though the vlan management interface resides in the same address block, the acl would only apply to the next/26 block. Make sense?

Burt

 

[Netomaniac]

As you say the VLAN overlaps the ACL created for the VLAN. VLAN have more IP address than the ACL for the VLAN which prevents the x.x.202.64 through x.x.202.128 to route through the switch.

But my ? since the used IP addresses resides in the overlapped region should it cause an issue. As you say if we use IP addresses outside the overlapped region it will defnitely cause routing issues.

Is that what you meant. I couldn't figure out your last statement.

 

[burtsbees]

Your vlan resides in the ip address block that the acl is written for, which are the first 62 useable IP addresses, so yes, you are correct.

Burt

 

[burtsbees]

Also, there are more solutions---add a permit statement for the vlan ip address(es), or just deny specific IP's in the acl, and permit ip any any.

Burt