Hello, I have a 1544 in production with 7 Vlans built, vlans 9,26,100,105,204,165 and 166. I need to make sure vlan 9 denies all traffic that originates from vlan 26,165 and 204. I need to make sure vlan 26 denies all request orginating from vlan 9, 166 and 204. Basically, I do not want any machines in vlan 26, 165 or 204 be able to ping vlan 9 or any machines in vlan 9, 166 or 204 to be able to ping vlan 26. I am trying to do this with Hardware ACL's.Below are the Vlans and ACL's. I am just trying to get this config verified before I add these ACL's to the working 1544..Thanks
!
!
interface vlan 9
description Probate
ip address 192.168.9.254 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 26
description Revenue_Commission
ip address 192.168.26.253 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 100
description Courthouse_Voice
ip address 192.168.100.254 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 105
description Goverment_BLDG_P2P
ip address 10.10.10.2 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 165
description Rev_Public_Lan
ip address 192.168.165.1 255.255.255.252
ip route-cache express
no shutdown
!
interface vlan 166
description Rev_Public_Lan
ip address 192.168.166.1 255.255.255.252
ip route-cache express
no shutdown
!
interface vlan 204
description Courthouse_Wlan
ip address 192.168.204.254 255.255.255.0
ip route-cache express
no shutdown
!
!
ip hw-access-list extended HW-BLOCK-VLANS_9
deny ip 192.168.204.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.26.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.165.0 0.0.0.255 192.168.9.0 0.0.0.7
permit ip any any
!
ip hw-access-list extended HW-BLOCK-VLANS_26
deny ip 192.168.204.0 0.0.0.255 192.168.26.0 0.0.0.255
deny ip 192.168.9.0 0.0.0.255 192.168.26.0 0.0.0.255
deny ip 192.168.166.0 0.0.0.255 192.168.9.0 0.0.0.7
permit ip any any
!
!
hw-access-map MY-HW-MAP-9
forward ip HW-BLOCK-VLANS_9
vlans 26,165,204
!
hw-access-map MY-HW-MAP-26
forward ip HW-BLOCK-VLANS_26
vlans 9,166,204
The configuration you pasted above is different from the one you sent originally.
hw-access-map MY-HW-MAP-26
forward ip HW-BLOCK-VLANS_26
vlans 9,166,204
Levi
Thank you for asking this question in the support community. The configuration appears to be correct for what you are attempting to accomplish. Here is the Configuring Hardware ACLs in AOS guide for reference. Please do not hesitate to reply to this post with any additional questions or information. I will be happy to help in any way I can.
Levi
Levi, I must have missed somthing even with the ACL's applied I can still ping interface vlan 9 from source of interface vlan 26 which am trying to deny.. See below running config:
interface vlan 1
no ip address
ip route-cache express
no shutdown
!
interface vlan 9
description Probate
ip address 192.168.9.254 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 26
description Revenue_Commission
ip address 192.168.26.253 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 100
description Courthouse_Voice
ip address 192.168.100.254 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 105
description Goverment_BLDG_P2P
ip address 10.10.10.2 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 165
description Rev_Public_Lan
ip address 192.168.165.1 255.255.255.252
ip route-cache express
no shutdown
!
interface vlan 166
description Probate_Public_Lan
ip address 192.168.166.1 255.255.255.252
ip route-cache express
no shutdown
!
interface vlan 204
description Courthouse_Wlan
ip address 192.168.204.254 255.255.255.0
ip route-cache express
no shutdown
!
!
!
ip hw-access-list extended HW-BLOCK-VLANS_26
deny ip 192.168.204.0 0.0.0.255 192.168.26.0 0.0.0.255
deny ip 192.168.9.0 0.0.0.255 192.168.26.0 0.0.0.255
deny ip 192.168.166.0 0.0.0.7 192.168.9.0 0.0.0.255
permit ip any any
!
ip hw-access-list extended HW-BLOCK-VLANS_9
deny ip 192.168.204.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.26.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.165.0 0.0.0.7 192.168.26.0 0.0.0.255
permit ip any any
!
hw-access-map MY-HW-MAP-26
forward ip HW-BLOCK-VLANS_26
!
hw-access-map MY-HW-MAP-9
vlans 26,165,204
forward ip HW-BLOCK-VLANS_9
!
!
!
!
!
end
Courthouse_1544_SW1#ping 192.168.26.253 source 192.168.9.254
Type CTRL+C to abort.
Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
'*' = Request timed out, '-' = Destination host unreachable
'x' = TTL expired in transit, 'e' = Unknown error
Sending 5, 100-byte ICMP Echos to 192.168.26.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Courthouse_1544_SW1#ping 192.168.9.254 source 192.168.26.253
Type CTRL+C to abort.
Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
'*' = Request timed out, '-' = Destination host unreachable
'x' = TTL expired in transit, 'e' = Unknown error
Sending 5, 100-byte ICMP Echos to 192.168.9.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Courthouse_1544_SW1#
Thanks Levi, I have corrected the config and applied it to the 1544. Not sure what I am missing but I can still ping vlan 26 from 9 and 9 from 26. The only difference in the below config is that I do not have the ACL's applied to vlan 204 yet so I would not think that would affect the outcome of the ping test. Do you see what I have wrong in the configuration? Below is a output from the running config:
!
interface vlan 1
no ip address
ip route-cache express
no shutdown
!
interface vlan 9
description Probate
ip address 192.168.9.254 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 26
description Revenue_Commission
ip address 192.168.26.253 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 100
description Courthouse_Voice
ip address 192.168.100.254 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 105
description Goverment_BLDG_P2P
ip address 10.10.10.2 255.255.255.0
ip route-cache express
no shutdown
!
interface vlan 165
description Rev_Public_Lan
ip address 192.168.165.1 255.255.255.252
ip route-cache express
no shutdown
!
interface vlan 166
description Probate_Public_Lan
ip address 192.168.166.1 255.255.255.252
ip route-cache express
no shutdown
!
interface vlan 204
description Courthouse_Wlan
ip address 192.168.204.254 255.255.255.0
ip route-cache express
no shutdown
!
!
ip hw-access-list extended HW-BLOCK-VLANS_26
deny ip 192.168.204.0 0.0.0.255 192.168.26.0 0.0.0.255
deny ip 192.168.9.0 0.0.0.255 192.168.26.0 0.0.0.255
deny ip 192.168.166.0 0.0.0.7 192.168.26.0 0.0.0.255
permit ip any any
!
ip hw-access-list extended HW-BLOCK-VLANS_9
deny ip 192.168.204.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.26.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.165.0 0.0.0.7 192.168.9.0 0.0.0.255
permit ip any any
!
hw-access-map MY-HW-MAP-26
vlans 9,166
forward ip HW-BLOCK-VLANS_26
!
hw-access-map MY-HW-MAP-9
vlans 26,165
forward ip HW-BLOCK-VLANS_9
!
!
!
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip route 192.168.200.0 255.255.255.0 10.10.10.1
!
!
!
!
end
Courthouse_1544_SW1#ping 192.168.9.254 source 192.168.26.253
Type CTRL+C to abort.
Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
'*' = Request timed out, '-' = Destination host unreachable
'x' = TTL expired in transit, 'e' = Unknown error
Sending 5, 100-byte ICMP Echos to 192.168.9.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Courthouse_1544_SW1#ping 192.168.26.253 source 192.168.9.254
Type CTRL+C to abort.
Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
'*' = Request timed out, '-' = Destination host unreachable
'x' = TTL expired in transit, 'e' = Unknown error
Sending 5, 100-byte ICMP Echos to 192.168.26.253, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
Courthouse_1544_SW1#
Thanks, that is correct. Pings from Lan do not work.
Thx for your help