Hi Matthias,For internet

caspipirna · ‎03-03-2015

Hello,

I have a problem twith the configuration of a Cisco SG300-10 (FW: 1.3.5.58; see Appendix.) and the routing rules in allocated VLANs.

Short topology of this network:

Address range 192.168.100.x default VLAN 1
Address 191.168.100.100 VLAN1 IP address of the Internet router
Address range 192.168.1.x VLAN10
Address range 192.168.2.x VLAN20
Address range 192.168.3.x VLAN30
Address range 192.168.4.x VLAN40
Address range 192.168.9.x VLAN90

I setup the correct VLANs on the switch and also the assignment of IP addresses using DHCP server works in different VLANs as desired.
Now I would like to avoid access between the VLANs using ACLs in part.

In addition I have done the following steps:

- Creating an ACL
- Create the following ACEs that are associated with the previously created ACL
> deny source 192.168.100.0 0.0.0.255 dest 192.168.4.0 0.0.0.255, Prio 10
> permit source 192.168.100.0 0.0.0.255 dest any, Prio 20

- Binding the ACL to the VLAN 1 (addresses 192.168.100.x)

Thus, the following behavior should (rules affect only inbound) can be achieved according to my understanding:
- Data packets from the 192.168.100.x do not come in the 192.168.4.x network
- Data packets from the 192.168.100.x can be passed in all remaining VLANs.

Now, unfortunately, shows the following behavior:
I come from the VLANs on the switches in VLAN 192.168.100.x, but not to the Internet (192.168.100.100).

I need help.
Many Thanks!

Yours sincerely
M. Casper

Aleksandra Dargiel · ‎03-03-2015

Hi M. Casper,

First of all please upgrade boot code to 1.3.5.06 and maybe even firmware to 1.4.0.88.

Please note VLAN ACL was added only with 1.3.5 but having old boot code can cause unexpected behavior:

https://software.cisco.com/download/release.html?mdfid=283019611&catid=268438038&softwareid=282463181&release=1.4.0.88&relind=AVAILABLE&rellifecycle=&reltype=latest

Below please find link to guide how to do upgrade:

https://supportforums.cisco.com/document/12321266/firmware-upgrade-troubleshooting-300-and-500-series-managed-switches

Other than that please note that destination IP address of the packet aimed to internet servers varies thus the last rule in your ACL should be "permit any any" which you have basically accomplished with:

Data packets from the 192.168.100.x can be passed in all remaining VLANs.

So for now upgrade should be the first step. Please let us know how it goes.

Regards,

Aleksandra

caspipirna · ‎03-05-2015

Hi Aleksandra,

I have updated the boot code to 1.3.5.06 and the firmware to 1.4.0.88.

I used the GUI to configure the ACL/ACE and the binding. Therefore, I have set the default rule in the binding options to “deny all” (s. attachment "binding"), to deny the traffic between the network 192.168.100.x and other VLANs (currently not relevant).

That's why I need the ACEs (permit 192.168.100.100 0.0.0.0 least any source, Prio 20) to allow the traffic between the subnets and the internet router (192.168.100.100).

The ACEs prio 30 to 50 I need to allow traffic from the VLAN1 (192.168.100.x) to all other subnets (except networt 192.168.4.x).

As result of this ACL binding to VLAN1 the VLAN2 (192.168.2.x) neither have access to the VLAN1 (concretely address 192.168.100.254), nor the access to the Internet (192.168.100.100) is possible.

Regards,

Matthias

Aleksandra Dargiel · ‎03-09-2015

Hi Matthias,

For internet access you should add allow any any rule as the destination of the packet is not the router IP but actuall public IP such as 173.37.145.8. You deny ACE is blocking internet access.

I cannot see why would traffic between vlan 1 and 2 be blocked but I wonder how you are testing VLAN 2 to VLAN 1 access?

Regards,

Aleksandra

caspipirna · ‎03-09-2015

Hi Aleksandra,

I test the access between VLAN 1 und VLAN 2 logging me on the routing switch. After activating the ACL by binding to VLAN1 I have no acces from my PC (VLAN 2) to the routing switch in VLAN 1.

To your first statement: according to my knowledge the ACL acts inbound. So I do not block the path to the Router (192.168.100.100), but the packages which came from the router to the internal network. And for this packeges the access is allowed by prio 20.

Somehow I have here a thinking error ...

Regards,

Matthias

Aleksandra Dargiel · ‎03-09-2015

Hi Matthias,

well yes you are right there is no seems to be an error. However let me try in my lab. would it be possible for you to make a copy of the running config and send me to my email: adargiel@cisco.com

Thank you in advance,

Aleksandra

caspipirna · ‎03-09-2015

Hi Aleksandra,

I send the actual running config to your email.

Matthias

Aleksandra Dargiel · ‎03-10-2015

Hi Matthias,

Thank you for the configuration file. I tested with your ACL bound to VLAN 1 having ports set in access mode, general between two switches as well and I have no issue pinging other switch different vlan interface.

we may need to look at the topology such as:

1. where is the PC connected - which port

2. what is PC default gateway IP address

3. an where is the ACL configured on the traffic pattern

is it possible you have more than one routing device on your network when doing this test?

Regards,

Aleksandra

caspipirna · ‎03-10-2015

Hi Aleksandra,

I try to sketch my topology:

Ports 1 and 2 working as link aggregation, like the port 3 and 4, 5 and 6, 7 and 8. On all four LAGs the VLAN are tagged to transmit the packages of all VLANs.

At the four port pairs each hangs a L2 Switch. The L2 switches used to connect the PCs.

The port 9 is connected directly to the DHCP / DNS server. The port is untagged and belongs to VLAN10 (server VLAN ; 192.168.1.x ).

The port 10 is connected directly to the Internet router with the address 192.168.100.100. The port is untagged and belongs to VLAN 1 ( the default VLAN ; 192.168.100.x ).

To make it a little clearer, I 've attached a few screenshots of the switch configuration for VLANs and LAG and created a schematic topology of the network.

Unfortunately, I have only one routing switch, so I can not test it differently :-(

Regards,

Matthias

Aleksandra Dargiel · ‎03-17-2015

Hi Matthias,

Thank you for all information. I was more wondering where is the host in VLAN 2 connected on your network when trying to ping VLAN 1. I believe you mentioned it is switch VLAN 1 interace however just to be sure what would be the outcome of ping to host in VLAN 1.

You have one internet gateway on your network but technicaly you have more routers since SG300 can be used as routing device.

What is the tracert from host in VLAN 2 when trying to access VLAN 1 resources?

Regards,

Aleksandra

caspipirna · ‎03-17-2015

Hi Aleksandra,

Although I have several switches , but only the SG300-10 is a L3 switch, the others are only L2 and therefore can not route between VLANs.

The host in VLAN 2 is connected by one of the other switches (port is configured with VLAN 2). And I try to access the routing switch in VLAN 1 (192.168.100.254).

In the appendix you will find the tracert when trying to access the routing switch in VLAN 1 or the Internet router (192.168.100.100; also in VLAN 1).

I 'm a little confused, because the tracert in both cases (before and after the binding the ACE to VLAN 1) turn out identical. It looks to me as if I could reach the VLAN 1, but it gets no signal back to the VLAN 2. But why?

Matthias

Aleksandra Dargiel · ‎03-23-2015

Hi Matthias,

I could not see any issue with VLAN ACL in the lab. It may be advisable to open ticket with Small Business team so one of the engineers would look into the configuration and testing results in more details:

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Please feel free to PM me case number.

Aleksandra

caspipirna · ‎03-23-2015

Hi Aleksandra,

today I testet some other configuration with strange results. I create an new ACL and create only one ACE (permit source 192.168.2.0 0.0.0.255 dest any, Prio 10) in it. After this I bind this ACL to VLAN 2 (IP 192.168.2.x) with the default rule "deny all".

I actually thought that I would now have access to the Internet and on the DHCP server in the VLAN 2, but on request out of VLAN 2 I get no IP-adress from the DHCP (I do not receive the server)...

I don´t unterstand this. Such a simple rule and it just will not work...

Tomorrow I will open a ticket....

Matthias

Aleksandra Dargiel · ‎03-24-2015

Hi Mathias.

On which port you have connected the PC and on which port DHCP server is connected?

Perhaps traffic goes to DHCP server one one VLAN and returns on the other assuming that packet capture on DHCP server indicates DHCP request and Offer are present.

Regards,

Aleksandra

caspipirna · ‎03-24-2015

Hi Aleksandra,

the DHCP-Server is connected to port 09 (VLAN 10). The PC is connectet to LAN via another switch (Pirat-SW-02 in my topology).

When the binding is not active, the request to DHCP is ok, but when I bind the ACL to VLAN 2 (VLAN of the PC), I get no IP-adress. The binding of this ACL was the only one in this test!

Regards,

Matthias