I can't seem to get Vlan ACLs to work properly. I want to be able to get to servers on the 10.100.x.x network as well as the 10.200.x.x network when I'm connected through the VPN. But, I want to prevent the 10.100.x.x network from seeing 10.200.x.x
Currently, I have 2 Vlans:
interface Vlan111
description "vlan 111"
ip address 10.100.1.1 255.255.255.0
interface Vlan222
description "vlan 222"
ip address 10.200.1.1 255.255.255.0
ip access-group vlan222_acl in
ip access-group vlan222_acl out
And I have 2 servers connected to each VLAN:
!--- the below port is connected to a windows machine with static ip address 10.100.1.10 and gateway 10.100.1.1
interface FastEthernet0/4
description server 1
switchport access vlan 111
switchport mode access
!--- the below port is connected to a windows machine with static ip address 10.200.1.10 and gateway 10.200.1.1
interface FastEthernet0/5
description server 2
switchport access vlan 222
switchport mode access
The problem is when I configure vlan222_acl.
Here is what I enter:
ip access-list extended vlan222_acl
deny icmp 10.100.0.0 255.255.0.0 10.200.0.0 255.255.0.0
But here is what gets applied to the running config:
ip access-list extended vlan222_acl
deny icmp 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
!--- the above line is not what I actually entered in the terminal, for some reason
!--- the source and dest ip addresses are getting replaced with zeros
Because of the above line, everyone now is unable to ping the server at 10.200.1.10. When I remove the line, ie
no deny icmp 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
then I can ping it again.
How can I restrict only 10.100.x.x from being able to ping 10.200.x.x?
Many thanks in advance for the help!
G
Best Answer
you need to reverse your netmasks...i.e., instead of 255.255.0.0 use 0.0.255.255
Example:
Additionally, you do understand that you need a router between VLAN'd subnets, right? (not trying to sound snotty, I'm just not sure of your experience level)
edit: Is there a reason you're using /24 subnets for address assignment, but /16's for your ACL?
My suggestion would be to toss out the ACL on 222, and put restrictions on the 111 subnet, since that's what you're actually wanting to restrict anyway.