8212zl ACL Problem (307 Views)
Reply
Occasional Contributor
airport_guy
Posts: 10
Registered: ‎06-27-2013
Message 1 of 6 (307 Views)

8212zl ACL Problem

We have a 8212zl connected to multiple 2910zl network switches.  We use the 8212zl as our core switch to perform all routing.  When I try to apply a ACL (access control list) on the 8212zl VLAN 226 to block all traffic except from iteself and VLAN 213, none of the traffic will block.  Here is an example of the ACL:

 

ip access-list standard "VLAN226IN"
5 permit 172.20.213.0 0.0.0.255
10 permit 172.20.226.0 0.0.0.255
15 deny 0.0.0.0 255.255.255.255
exit

 

The VLAN has the following configuration:

vlan 226
name "VLAN226"
tagged A5,Trk1
ip access-group "VLAN226IN" in
ip access-group "VLAN226IN" out
ip access-group "VLAN226IN" vlan
ip address 172.20.226.1 255.255.255.0
ip igmp
ip rip 172.20.226.1
exit

 

Does anyone have any ideas on what is happening?

Trusted Contributor
Vince_Whirlwind
Posts: 401
Registered: ‎02-25-2013
Message 2 of 6 (300 Views)

Re: 8212zl ACL Problem

I htink you should have:

 

ip access-list standard "VLAN226IN"
5 permit 172.20.213.0 0.0.0.255 172.20.226.0 0.0.0.255
15 deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 ip access-list standard "VLAN226OUT"
10 permit 172.20.226.0 0.0.0.255 0.0.0.0 255.255.255.255
15 deny 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 

name "VLAN226"
ip access-group "VLAN226IN" out
ip access-group "VLAN226OUT" in

Occasional Contributor
airport_guy
Posts: 10
Registered: ‎06-27-2013
Message 3 of 6 (280 Views)

Re: 8212zl ACL Problem

Here is what I currently have.  All my other VLAN's can still talk to this VLAN for some reason.  I also tried applying VLAN226IN to in and VLAN226OUT to out and that did nothing as well.

 

p access-list extended "VLAN226IN"
5 permit ip 172.20.20.13 0.0.0.255 172.20.226.0 0.0.0.255
15 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
ip access-list extended "VLAN226OUT"
10 permit ip 172.20.226.0 0.0.0.255 0.0.0.0 255.255.255.255
15 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

 

vlan 226
name "VLAN226"
tagged A5,Trk1
ip access-group "VLAN226OUT" in
ip access-group "VLAN226IN" out
ip address 172.20.226.1 255.255.255.0
ip igmp
ip rip 172.20.226.1

 

Trusted Contributor
Vince_Whirlwind
Posts: 401
Registered: ‎02-25-2013
Message 4 of 6 (276 Views)

Re: 8212zl ACL Problem

Do a traceroute. I wonder if your inter-VLAN routing has happened somewhere else?

Occasional Contributor
airport_guy
Posts: 10
Registered: ‎06-27-2013
Message 5 of 6 (274 Views)

Re: 8212zl ACL Problem

This is my output:

 

C:\Users\Administrator>ipconfig

 

Windows IP Configuration

 

Ethernet adapter Local Area Connection:

 

   Connection-specific DNS Suffix  . :   

   IPv4 Address. . . . . . . . . . . : 172.20.100.5   

   Subnet Mask . . . . . . . . . . . : 255.255.255.0   

   Default Gateway . . . . . . . . . : 172.20.100.1

 

Tunnel adapter Local Area Connection* 9:

 

   Media State . . . . . . . . . . . : Media disconnected   

   Connection-specific DNS Suffix  . :

 

C:\Users\Administrator>tracert 172.20.226.1

 

Tracing route to 172.20.226.1 over a maximum of 30 hops

 

  1     1 ms     1 ms     1 ms  172.20.226.1

 

Trace complete.

 

C:\Users\Administrator>

Trusted Contributor
Vince_Whirlwind
Posts: 401
Registered: ‎02-25-2013
Message 6 of 6 (271 Views)

Re: 8212zl ACL Problem

.1 is presumably the address on the core switch. How about tracerouting to something further in the .226 network?

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.