05-28-2024 06:27 AM - edited 05-28-2024 06:35 AM
I am not an expert in setting up ACLs, but I have a good understanding of the basics. However, I feel like I might be missing something.
I have set up a new VLAN to provide direct internet access while blocking communication to other VLANs and on-premises devices.
The primary issue I am having is I can still ping and access certain IP addresses even though traffic should be denied, for example, on the OUT ACL I have the 10.0.0.0/8 subnet deny anything but I can still ping the following IPs which I'm assuming they are other virtual interfaces: 10.200.16.2, 10.8.1.2, 10.8.1.49. I also have 172.0.0.0/8 set to deny and I can ping some printers and other devices with the following IPs 172.20.0.2, 172.20.1.5, 172.20.210.165, 172.20.100.98.
I even set a deny ip any any at the first sequence of the IN and OUT ACL to test and I can still ping these devices but I can't get to anything else. One other thing I cannot figure out is that it seems like no matter what I add on the IN ACL it doesn't affect traffic, the only entry is an implicit deny, and even if I specifically enter in deny ip 10.30.1.0 0.0.0.255 any or entries for the specific ip addresses I can ping, traffic still passes out of the interface.
switches are C9200L-48P
Here is the VLAN config:
interface Vlan30
description GuestWired
ip address 10.30.1.1 255.255.255.0
ip helper-address 172.20.0.x
ip access-group GuestWired-IN in
ip access-group GuestWired-OUT out
Heres the IN ACL
Extended IP access list GuestWired-IN
999 deny ip any any
Heres the OUT ACL
Extended IP access list GuestWired-OUT
10 deny ip 172.0.0.0 0.255.255.255 any
20 deny ip 10.0.0.0 0.255.255.255 any
30 deny ip 192.0.0.0 0.255.255.255 any
999 permit ip any any
Solved! Go to Solution.
05-30-2024 12:11 AM
this same as your topology (as we know)
NOW R3 GW is 10.0.0.1 and R4 GW is 20.0.0.1
when I ping from R3 to R4 you see success then after I apply ACL
ip access-extended ICMP
deny icmp host 10.0.0.100 20.0.0.100
the ping failed
and you can see when I do traceroute from R3 to R4 I must see GW as first Hop, if you see other Hop then ACL is not work becuase the routing is done via other L3 interface
MHM
05-28-2024 08:04 AM
you need to understand the ACL first :
In -- when you are running traffic coming INTO the interface through an ACL.
Out -- when you are running traffic leaving the interface through an ACL.
So flip the ACL and test it as below :
interface Vlan30
ip access-group GuestWired-IN out
ip access-group GuestWired-OUT in
I have addressed only related to ACL.
Switch or Router ACL are not statefull, so you need to allow when the traffic return from outside to inside.(if you need to allow)
deny any any - denies everything. you need to adjust the ACL accordingly what need to be permitted.
05-28-2024 08:40 AM
I'll give that a shot, I was under the impression that the in ACL was traffic originating from inside the VLAN to out and out was originating from outside going to the inside
05-28-2024 09:08 AM
It didn't work, I can still ping the devices. There should be an implicit deny at the end ACL and deny any any isn't a recognized command, not sure if my device supports it. I re-added deny ip any any to the first sequence to both ACLs so that's what is processed first and I can still ping the devices.
05-28-2024 10:12 AM
First Share show ip access-list
Second from which IP you test ping to which IP
MHM
05-29-2024 04:42 AM
I changed the ACL back to the original I had just for clarity inbound has the IN ACL and outbound has the OUT ACL
here's what the access list is configured as at the moment:
Extended IP access list GuestWired-IN
10 deny ip any 172.0.0.0 0.255.255.255
20 deny ip any 10.0.0.0 0.255.255.255 (72 matches)
30 deny ip any 192.0.0.0 0.255.255.255
50 permit ip any any (17 matches)
999 deny ip any any (19 matches)
Extended IP access list GuestWired-OUT
10 deny ip 172.0.0.0 0.255.255.255 any
20 deny ip 10.0.0.0 0.255.255.255 any
30 deny ip 192.0.0.0 0.255.255.255 any
999 deny ip any any
I'm pinging from a laptop connected to vlan30 with an IP address of 10.30.1.12
I'm doing a constant ping on 172.25.210.12 and 10.200.16.2, currently the 172 is being denied but I can ping the 10.200.16.2 address
Heres roughly how the network is setup:
05-29-2024 04:55 AM
20 deny ip any 10.0.0.0 0.255.255.255 (72 matches)
Removr above and add
20 Deny ip any 10.200.16.0 0.0.0.255
Line must be 20 or less than 50 (permit any any)
MHM
05-29-2024 05:07 AM
I made the change, no luck I can still ping 10.200.16.2
Extended IP access list GuestWired-IN
10 deny ip any 172.0.0.0 0.255.255.255
20 deny ip any 10.200.16.0 0.0.0.255
30 deny ip any 192.0.0.0 0.255.255.255
50 permit ip any any (56 matches)
999 deny ip any any (19 matches)
Extended IP access list GuestWired-OUT
10 deny ip 172.0.0.0 0.255.255.255 any
20 deny ip 10.0.0.0 0.255.255.255 any
30 deny ip 192.0.0.0 0.255.255.255 any
999 deny ip any any
Here is a ping from the switch aswell from that vlan:
#ping 10.200.16.2 source Vlan30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.16.2, timeout is 2 seconds:
Packet sent with a source address of 10.30.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
05-29-2024 05:14 AM
To test ACL you need to use device conenct to that VLAN not use VLAN SVI' the VLAN SVI is bypass any ACL apply under it.
MHM
05-29-2024 05:24 AM
In my network setup, I won't be able to connect directly to that layer 3 stack on a port configured with vlan30. The layer 2 switch stack is another building where the laptop is connected to a Meraki switch with the port configured with vlan30. I don't know why the network was designed this way this is just what I'm working with from previous sysadmins. Is there a different way I should approach this?
05-29-2024 05:40 AM
It only for testing' and it should done by laptop connect to l3sw or to far l2sw.
Sorry for that but that make us sure our config is correct.
MHM
05-29-2024 05:43 AM
Ok gotcha, I'll be heading over to that building soon
05-29-2024 05:45 AM
Take your time' and your ACL direction is OK but the wildcard you use for subnet is not correct.
That all
Goodluck friend in your task
MHM
05-29-2024 07:03 AM
I just set up the laptop to an access interface with vlan30 on the core stack, I can still ping the 10.200 address but if I apply the ACL to the port itself it blocks the pings and traffic, and works as expected including blocking the other subnets I have entered the like the 172.0.0.0/8 subnet. It seems the issue is isolated to the ACL being applied to the VLAN interface
05-28-2024 12:01 PM
ok i understand what you saying.
can we get show run full configuration for us to review, and where is the ping intiated and where that is connected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide