«

I have RSM in a 5509 chassis and I have about 10 vlans. Does the RSM handle
access-list out on vlan's different because it is not a physical interface.
I can add a "IN" access-list and it works but I can't get an "OUT" to work.
When I tried access-list 10 deny ip any any and data still passed I knew
something was different.

My end goal is to allow a subnet on a vlan to get a DHCP address from our
server and access block all other subnets except access to the internet. Now
from another vlan, I need to be able to remote manage the pc on the isolated
network.

In article <H15Xd.4596$ju.250@okepread07>,
Michael Letchworth <> wrote:
:I have RSM in a 5509 chassis and I have about 10 vlans. Does the RSM handle
:access-list out on vlan's different because it is not a physical interface.
:I can add a "IN" access-list and it works but I can't get an "OUT" to work.
:When I tried access-list 10 deny ip any any and data still passed I knew
:something was different.

access-list 10 would fall in the range of "standard" access lists,
which do not allow you to specify protocol or destination; e.g.,

access-list 10 deny any

If you want finer grained control, you need an extended access list.


It has been awhile since I used an RSM, but perhaps
a deny 'out' on an VLAN ACL is going to work only on traffic that
leaves the VLAN -- so traffic that stays in the VLAN might get through?

--
"Who Leads?" / "The men who must... driven men, compelled men."
"Freak men."
"You're all freaks, sir. But you always have been freaks.
Life is a freak. That's its hope and glory." -- Alfred Bester, TSMD

Michael Letchworth wrote:

> I have RSM in a 5509 chassis and I have about 10 vlans. Does the RSM
> handle access-list out on vlan's different because it is not a
> physical interface. I can add a "IN" access-list and it works but I
> can't get an "OUT" to work. When I tried access-list 10 deny ip any
> any and data still passed I knew something was different.
>
> My end goal is to allow a subnet on a vlan to get a DHCP address from
> our server and access block all other subnets except access to the
> internet. Now from another vlan, I need to be able to remote manage
> the pc on the isolated network.

Syntax is wrong but I'm sure it was a typo. How did you test this?
remember that router generated packets are not subject to outbound ACLs.

So pinging from a router will always work if you only have an outbout
ACL.

--

hsb


"Somehow I imagined this experience would be more rewarding" Calvin
**************************ROT13 MY ADDRESS*************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
************************************************** ******************