Solved: ACL Issues with denying traffic - Page 2

db3772 · ‎05-28-2024

I am not an expert in setting up ACLs, but I have a good understanding of the basics. However, I feel like I might be missing something.

I have set up a new VLAN to provide direct internet access while blocking communication to other VLANs and on-premises devices.

The primary issue I am having is I can still ping and access certain IP addresses even though traffic should be denied, for example, on the OUT ACL I have the 10.0.0.0/8 subnet deny anything but I can still ping the following IPs which I'm assuming they are other virtual interfaces: 10.200.16.2, 10.8.1.2, 10.8.1.49. I also have 172.0.0.0/8 set to deny and I can ping some printers and other devices with the following IPs 172.20.0.2, 172.20.1.5, 172.20.210.165, 172.20.100.98.

I even set a deny ip any any at the first sequence of the IN and OUT ACL to test and I can still ping these devices but I can't get to anything else. One other thing I cannot figure out is that it seems like no matter what I add on the IN ACL it doesn't affect traffic, the only entry is an implicit deny, and even if I specifically enter in deny ip 10.30.1.0 0.0.0.255 any or entries for the specific ip addresses I can ping, traffic still passes out of the interface.

switches are C9200L-48P

Here is the VLAN config:

interface Vlan30
description GuestWired
ip address 10.30.1.1 255.255.255.0
ip helper-address 172.20.0.x
ip access-group GuestWired-IN in
ip access-group GuestWired-OUT out

Heres the IN ACL

Extended IP access list GuestWired-IN
    999 deny ip any any

Heres the OUT ACL

Extended IP access list GuestWired-OUT
    10 deny ip 172.0.0.0 0.255.255.255 any
    20 deny ip 10.0.0.0 0.255.255.255 any
    30 deny ip 192.0.0.0 0.255.255.255 any
    999 permit ip any any

db3772 · ‎05-29-2024

Sure, see my reply to MGM for the layout pinging from 10.30.1.12

MHM Cisco World · ‎05-29-2024

We agree to change subnet to 10.200.16.0 0.0.0.255 but I still see 10.0.0.0 0.0.0.255?

MHM

db3772 · ‎05-29-2024

Sorry that was the config before I updated that here's the current running cfg

Heres the port the laptop is connected to:

interface GigabitEthernet3/0/2
 description VLAN30 TEST
 switchport access vlan 30
 switchport mode access
 spanning-tree portfast

MHM Cisco World · ‎05-29-2024

The only reason then is GW

In laptop

Do traceroute 10.200.16.x

See what is first hop you see

Is it vlan svi ?

If not then there is other l3 device do routing between vlan

MHM

db3772 · ‎05-29-2024

It's just one hop and the destination address 10.200.16.2 it doesn't say it is going to the next hop for my ISP which does some routing for me to transfer some LAN to another building but I don't have control over that. I would figure the acl would stop it from leaving unless I need to apply another ACL to the uplink

#traceroute 10.200.16.2 source Vlan30
Type escape sequence to abort.
Tracing the route to 10.200.16.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.200.16.2 4 msec *  0 msec

#traceroute 10.200.16.2 source 10.30.1.1
Type escape sequence to abort.
Tracing the route to 10.200.16.2
VRF info: (vrf in name/id, vrf out name/id)
  1 10.200.16.2 4 msec *  0 msec

It is an vlan SVI as that's the only way to create the VLAN to my knowledge in this L3 switch and apply an ACL

MHM Cisco World · ‎05-29-2024

Sorry but again we need to check from laptop' and vlan svi 30 need to appear as first hop when we traceroute from laptop to 10.200.16.x

It the GW that routing it traffic outside it subnet'

If it not appear the ACL is not work

MHM

db3772 · ‎05-29-2024

I did the trace from the laptop with the same result it only goes to 10.200.16.2 and I don't see it hit the default gateway, should I be configuring the port it's connected to differently?

MHM Cisco World · ‎05-29-2024

Then it issue of l2/l3 not issue of acl.

Try again from laptop to vlan 30 svi

Do you see same 10.200.16.x appear in top?

MHM

db3772 · ‎05-29-2024

Im not sure I understand do you want me to ping the gateway for vlan30 on the laptop? The scope for 10.200.16.x is vlan20 and the gateway is 10.200.16.1

paul driver · ‎05-29-2024

Hello
Your statement seems confusing.

@balaji.bandi wrote::
In -- when you are running traffic coming INTO the interface through an ACL. < --- INTO the interface/svi from where?
Out -- when you are running traffic leaving the interface through an ACL. <--- leaving the interface from where? -

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎05-28-2024

Hello
The acl logic for svi is as follows:

IN = traffic originating from within the vlan travelling outside the vlan
OUT= traffic originating from outside the vlan travelling inside the vlan

Example:
1.1.1.0/24 is the traffic that needs to be filtered to/from vlan 100.

IN
ip access-list extended 100
deny ip any 1.1.1.0 0.0.0.255
permit ip any any

int vlan 100
ip access-group 100 IN

OUT
ip access-list extended 100
deny ip 1.1.1.0 0.0.0.255 any
permit ip any any

int vlan 100
ip access-group 100 IOUT

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

db3772 · ‎05-29-2024

Ok, that is what I thought I'm just not sure how I can ping some devices like: 10.200.16.2, 172.20.0.2, or 172.20.1.5 with the following ACL setup:

Extended IP access list GuestWired-IN
    10 deny ip any 172.0.0.0 0.255.255.255
    20 deny ip any 10.0.0.0 0.255.255.255 
    30 deny ip any 192.0.0.0 0.255.255.255
    50 permit ip any any 
    999 deny ip any any 
Extended IP access list GuestWired-OUT
    10 deny ip 172.0.0.0 0.255.255.255 any
    20 deny ip 10.0.0.0 0.255.255.255 any
    30 deny ip 192.0.0.0 0.255.255.255 any
    999 deny ip any any

Even If I do a deny ip any on both ACLs first sequence I can ping these devices, I'm curious if its a bug with the current IOS I have.

paul driver · ‎05-29-2024

Hello

@db3772 wrote:
I have set up a new VLAN to provide direct internet access while blocking communication to other VLANs and on-premises devices.
not sure how I can ping some devices like: 10.200.16.2, 172.20.0.2, or 172.20.1.5 with the following ACL setup:
Even If I do a deny ip any on both ACLs first sequence I can ping these devices, I'm curious if its a bug with the current IOS I have.

Can you elaborate a little bit more on what your trying to filter- to/from vlans, routed interfaces etc..., maybe share the routed interface cfg along with your acl cfg

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

db3772 · ‎05-29-2024

Sure, If you see my response to balaji.bandi I have my config in there with routes, my next hop to my ISP is 10.3.1.2 which I will configure traffic to pass once I figure out how to prevent traffic from leaving VLAN 30 and going to any other VLAN on the network to create a "guest" wired network for vendors to connect their equipment to our network without having any connectivity to our LAN besides grabbing an IP from DHCP server.

paul driver · ‎05-29-2024

Hello

@db3772 wrote:

Ionce I figure out how to prevent traffic from leaving VLAN 30 and going to any other VLAN on the network to create a "guest" wired network for vendors to connect their equipment to our network without having any connectivity to our LAN besides grabbing an IP from DHCP server.

Why dont you just put that guest SVi in a VRF it would be much simpler, you could even create you own vrf dhcp server to serve those gust clients, and they will be totally separated from the rest of your lan network?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul