We're setting up a network with several ICX switches. We've got several VLANs configured, each one associated with a virtual interface. Below is the configuration for VLAN and VE 10 and 20:
vlan 10 name A by port
tagged ethe 1/2/3 ethe 1/2/5 ethe 2/1/32 ethe 2/2/3 ethe 2/2/5
untagged ethe 1/1/48
router-interface ve 10
!
vlan 20 name B by port
tagged ethe 1/2/3 ethe 1/2/5 ethe 2/1/32 ethe 2/2/3 ethe 2/2/5
untagged ethe 1/1/4 to 1/1/6 ethe 2/1/4 to 2/1/6 ethe 2/1/9 to 2/1/10 ethe 2/1/12 ethe 2/1/17 to 2/1/18 ethe 2/1/21 ethe 2/1/23
router-interface ve 20
interface ve 10
ip address 172.16.40.1 255.255.248.0
ip helper-address 1 172.16.17.254
!
interface ve 20
ip address 172.16.16.1 255.255.240.0
Currently, all of the VLANs can talk to eachother, but we want to be able to restrict access to network resources on a per-VLAN basis.
I'm trying to set up a layer 3 ACL so that VLAN 10 can *only* be accessed from VLAN 20. So I created the following access lists:
ip access-list extended "A ACL IN"
permit ip 172.16.16.0 0.0.15.255 any
deny ip any any
!
ip access-list extended "A ACL OUT"
permit ip any 172.16.16.0 0.0.15.255
deny ip any any
When adding these ACLs to VE 10:
interface ve 10 ip access-group "A ACL IN" in
interface ve 10 ip access-group "A ACL OUT" out
Suddenly VLAN 10 can't access anything on VLAN 20 and vice versa. Can anyone see what I'm doing wrong here?
#TheWaterCooler