Access list on RSM interVlan routing?

Discussion in 'Cisco' started by Michael Letchworth, Mar 7, 2005.

  1. I have RSM in a 5509 chassis and I have about 10 vlans. Does the RSM handle
    access-list out on vlan's different because it is not a physical interface.
    I can add a "IN" access-list and it works but I can't get an "OUT" to work.
    When I tried access-list 10 deny ip any any and data still passed I knew
    something was different.

    My end goal is to allow a subnet on a vlan to get a DHCP address from our
    server and access block all other subnets except access to the internet. Now
    from another vlan, I need to be able to remote manage the pc on the isolated
    network.
     
    Michael Letchworth, Mar 7, 2005
    #1
    1. Advertising

  2. In article <H15Xd.4596$ju.250@okepread07>,
    Michael Letchworth <> wrote:
    :I have RSM in a 5509 chassis and I have about 10 vlans. Does the RSM handle
    :access-list out on vlan's different because it is not a physical interface.
    :I can add a "IN" access-list and it works but I can't get an "OUT" to work.
    :When I tried access-list 10 deny ip any any and data still passed I knew
    :something was different.

    access-list 10 would fall in the range of "standard" access lists,
    which do not allow you to specify protocol or destination; e.g.,

    access-list 10 deny any

    If you want finer grained control, you need an extended access list.


    It has been awhile since I used an RSM, but perhaps
    a deny 'out' on an VLAN ACL is going to work only on traffic that
    leaves the VLAN -- so traffic that stays in the VLAN might get through?

    --
    "Who Leads?" / "The men who must... driven men, compelled men."
    "Freak men."
    "You're all freaks, sir. But you always have been freaks.
    Life is a freak. That's its hope and glory." -- Alfred Bester, TSMD
     
    Walter Roberson, Mar 7, 2005
    #2
    1. Advertising

  3. Michael Letchworth

    Hansang Bae Guest

    Michael Letchworth wrote:

    > I have RSM in a 5509 chassis and I have about 10 vlans. Does the RSM
    > handle access-list out on vlan's different because it is not a
    > physical interface. I can add a "IN" access-list and it works but I
    > can't get an "OUT" to work. When I tried access-list 10 deny ip any
    > any and data still passed I knew something was different.
    >
    > My end goal is to allow a subnet on a vlan to get a DHCP address from
    > our server and access block all other subnets except access to the
    > internet. Now from another vlan, I need to be able to remote manage
    > the pc on the isolated network.


    Syntax is wrong but I'm sure it was a typo. How did you test this?
    remember that router generated packets are not subject to outbound ACLs.

    So pinging from a router will always work if you only have an outbout
    ACL.

    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Mar 10, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mamun Shaheed

    Problem in InterVLAN Routing

    Mamun Shaheed, Nov 29, 2003, in forum: Cisco
    Replies:
    2
    Views:
    665
  2. Peter
    Replies:
    2
    Views:
    4,758
    Walter Roberson
    Jan 6, 2004
  3. Bill

    Intervlan routing

    Bill, Mar 3, 2004, in forum: Cisco
    Replies:
    2
    Views:
    1,427
  4. Yves
    Replies:
    4
    Views:
    565
    Andrey Tarasov
    Oct 21, 2004
  5. Sied@r
    Replies:
    3
    Views:
    8,597
    Sied@r
    Oct 20, 2005
Loading...

Share This Page