Wired Intelligent Edge (Campus Switching and Routing)

Reply
New Contributor

VLAN-level ACLs still allow ping to VLAN IP address

I've set up two VLANs with extended ACLs - one at each campus - that I need to be able to communicate with each other but not allow traffic inside or outside.  However although within the VLANs the traffic seems to be allowed and denied as expected, I can still ping the VLAN IP address of the core switch (but not others) for each VLAN from my desktop which is on a different IP range and VLAN.

 

VLAN 41 is at one campus, VLAN 1041 is at the other (so they don't coexist on any switch) with routing between.  I've tried ip access-group in, out and vlan(-in) options on the VLANs (in & out shown configured below).  Adding explicit deny ip all all rules made no difference (as you'd expect given there is an implicit deny all rule in the)

 

Is it normal for pings to still work on the VLAN IP addresses despite the ACLs being configured to deny this?

 

Campus 1:

name "L41TEST2"
tagged [various ports/trunks]
ip address 10.41.0.1 255.255.248.0
ip access-group "Test_ACL2" in
ip access-group "Test_ACL2" out
ip igmp
exit

 

ip access-list extended "Test_ACL2"
10 permit ip 10.41.0.0 0.0.7.255 10.169.0.0 0.0.7.255
20 permit ip 10.41.0.0 0.0.7.255 10.41.0.0 0.0.7.255
30 permit ip 10.169.0.0 0.0.7.255 10.41.0.0 0.0.7.255
40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

 

 

Campus 2:

vlan 1041
name "TCL41TEST2"
tagged [various ports/trunks]
ip address 10.169.0.1 255.255.248.0
ip access-group "Test_ACL2" in
ip access-group "Test_ACL2" out
ip igmp
exit

 

ip access-list extended "Test_ACL2"
10 permit ip 10.41.0.0 0.0.7.255 10.169.0.0 0.0.7.255
20 permit ip 10.169.0.0 0.0.7.255 10.169.0.0 0.0.7.255
30 permit ip 10.169.0.0 0.0.7.255 10.41.0.0 0.0.7.255
40 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: