Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
0
Helpful
2
Replies

ACL issues

Go to solution
KMX762
Level 1
Level 1

‎05-23-2019 01:48 PM

Having a sort of weird issue with ACL's that seems to not apply to devices evenly. 

Setup:

R1 - VLAN 2 - 10.2.0.2, VLAN 10 - 10.0.0.2, VLAN 11 - 10.0.1.2, VLAN 99 - 10.99.0.2

R2 - VLAN 2 - 10.2.0.3, VLAN 10 - 10.0.0.3, VLAN 11 - 10.0.1.3, VLAN 99 - 10.99.0.3

HSRP is configured for these two routers, with 10.X.X.1 being the virtual IP address, R1 will preempt. 

S1 - VLAN 2 - 10.2.0.4

ACL on routers.

 

Extended IP access list EXTERNAL_DATA (VLAN99)
10 permit udp any any eq bootpc (6 matches)
20 permit udp any any eq bootps (363 matches)
30 deny ip 10.99.0.0 0.0.0.255 10.0.0.0 0.255.255.255 (288569 matches)
40 deny ip 10.99.0.0 0.0.0.255 192.168.0.0 0.0.255.255 (238 matches)
50 deny ip 10.99.0.0 0.0.0.255 172.0.0.0 0.31.255.255 (3 matches)
60 permit ip 10.99.0.0 0.0.0.255 any (8827545 matches)
Extended IP access list INTERNAL_DATA (VLAN10)
10 permit udp any any eq bootpc (2482 matches)
20 permit udp any any eq bootps (3199 matches)
30 deny ip 10.99.0.0 0.0.0.255 any
40 deny ip 10.255.1.0 0.0.0.255 any
50 deny ip 10.255.2.0 0.0.0.255 any
60 deny ip 10.0.1.0 0.0.0.255 any
70 deny ip 10.2.0.0 0.0.0.255 any (12 matches)
80 permit ip 10.0.0.0 0.0.0.255 any (18578356 matches)
Extended IP access list INTERNAL_WIFI (VLAN11)
10 permit udp any any eq bootpc
20 permit udp any any eq bootps (874 matches)
30 deny ip 10.99.0.0 0.0.0.255 any
40 deny ip 10.255.1.0 0.0.0.255 any
50 deny ip 10.255.2.0 0.0.0.255 any
60 deny ip 10.0.0.0 0.0.0.255 any
70 deny ip 10.2.0.0 0.0.0.255 any
80 permit ip 10.0.1.0 0.0.0.255 any (4353123 matches)
Extended IP access list MANAGEMENT_TRAFFIC (VLAN2)
10 permit udp any any eq bootpc (19 matches)
20 permit udp any any eq bootps (2102 matches)
30 deny ip 10.99.0.0 0.0.0.255 any (27 matches)
40 deny ip 10.255.1.0 0.0.0.255 any
50 deny ip 10.255.2.0 0.0.0.255 any
60 deny ip 10.0.0.0 0.0.0.255 any (52 matches)
70 deny ip 10.0.1.0 0.0.0.255 any (4 matches)
80 permit ip 10.2.0.0 0.0.0.255 any (1385946 matches)

 

So what the issue is that i have noticed, is that R2 is not accessible from VLAN 10, when trying to ping its management vlan IP address. Ex Ping from 10.0.0.52 to 10.2.0.3 fails. However, the same source can ping 10.2.0.2, 10.2.0.4 and 10.2.0.10. 

 

To further test this, Ive run a ping from the subIF on both R1 and R2 from their 10.0.0.x interfaces to 10.2.0.3/2 (VLAN2), both are unable to ping. 

 

So Im curious what I am missing in the ACL that allows most pings to work intervlan, yet some do not. I did note, that line 60 in Managment ACL counts up when running continuous pings that fail (Ie host pc to R2), but these ACL's are applied on inbound traffic on the subinterfaces. I think I have the flow correct for the ACL's and dont see how R2 is inaccessible but other devices are.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-23-2019 02:26 PM

 

Assuming R1 is HSRP active and 10.0.0.52 is using 10.0.0.1 as it's default gateway. 

 

If you ping a 10.2.0..x IP then the packet is inbound on vlan 10 so that acl is applied and you have a permit for 10.0.0.x IPs to any so you can ping 10.2.0.2 because it is on R1 and you can ping 10.2.0.4 and 10.2.0.10 because these are devices reachable from R1 so no other acls are applied. 

 

But if you ping 10.2.0.3 then the packet is allowed on R1, because of the permit line, and R1 then routes it onto vlan 2 and sends it to R2 but that is now an inbound packet on R2's vlan 2 interface which has an acl applied denying any 10.0.0.x IPs which is why you see that line incrementing. 

 

If you want it be able to ping all management IPs from 10.0.0.x you are going to have add some permit statements to your management vlan acl for it to work. 

 

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎05-23-2019 02:26 PM

 

Assuming R1 is HSRP active and 10.0.0.52 is using 10.0.0.1 as it's default gateway. 

 

If you ping a 10.2.0..x IP then the packet is inbound on vlan 10 so that acl is applied and you have a permit for 10.0.0.x IPs to any so you can ping 10.2.0.2 because it is on R1 and you can ping 10.2.0.4 and 10.2.0.10 because these are devices reachable from R1 so no other acls are applied. 

 

But if you ping 10.2.0.3 then the packet is allowed on R1, because of the permit line, and R1 then routes it onto vlan 2 and sends it to R2 but that is now an inbound packet on R2's vlan 2 interface which has an acl applied denying any 10.0.0.x IPs which is why you see that line incrementing. 

 

If you want it be able to ping all management IPs from 10.0.0.x you are going to have add some permit statements to your management vlan acl for it to work. 

 

Jon

0 Helpful

Go to solution
KMX762
Level 1
Level 1
In response to Jon Marshall

‎05-24-2019 05:35 AM

Makes sense, I missed that hop in my mental flow through the network. That resolved the issue.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card