10-27-2014 01:29 PM - edited 03-07-2019 09:15 PM
Hi all
Sw1
interface Vlan200
ip address 10.0.3.2 255.255.255.0
standby 0 priority 200
standby 0 ip 10.0.3.1
interface Vlan201
ip address 10.0.5.2 255.255.255.0
standby 0 priority 200
standby 0 ip 10.0.5.1
interface Vlan202
ip address 10.0.184.2 255.255.255.0
ip access-group testaccess out
standby 0 priority 200
standby 0 ip 10.0.184.1
Sw2
interface Vlan200
ip address 10.0.3.3 255.255.255.0
standby 0 priority 50
standby 0 ip 10.0.3.1
interface Vlan201
ip address 10.0.5.3 255.255.255.0
standby 0 priority 50
standby 0 ip 10.0.5.1
interface Vlan202
ip address 10.0.184.3 255.255.255.0
ip access-group testaccess out
standby 0 priority 50
standby 0 ip 10.0.184.1
ip access-list extended testaccess
deny ip 10.0.0.0 0.0.63.255 10.0.184.0 0.0.0.255
permit ip any any
From 10.0.184.0/24 if i ping 10.0.3.1 ,10.0.3.2 , 10.0.5.1 , 10.0.5.2 , i am getting reply
if i ping 10.0.3.3 i am not getting reply
My question is
why i am getting reply from 10.0.3.1 ( is the virtual ip ,10.0.3.2 is the active interface )
My access list (deny ip 10.0.0.0 0.0.63.255 10.0.150.0 0.0.0.255) should block the traffic from 10.0.3.2
Thanks
10-27-2014 04:17 PM
There is a fundamental problem in the way that you have configured the access list that explains most of why it is not doing what you think it should do. In the access list the source address is 10.0.0.0 through 10.0.63.255 and the destination address is 10.0.184.0 through 10.0.184.255. But you have applied it outbound on vlan 202. But for vlan 202 10.0.184.0 is the source and not the destination. So it would not block traffic from 10.0.3.2 or 10.0.3.1.
HTH
Rick
10-27-2014 07:58 PM
Hi rick
Thanks for the reply .
You wrote
" the access list the source address is 10.0.0.0 through 10.0.63.255 and the destination address is 10.0.184.0 through 10.0.184.255. But you have applied it outbound on vlan 202. But for vlan 202 10.0.184.0 is the source and not the destination "
When i ping from pc ( ip 10.0.184.50 ) to 10.0.3.1 ,the source is 10.0.184.50 and destination is 10.0.3.1 .
When i am getting reply from the interface 10.0.3.1 , the source must be 10.0.3.1 ?
Thanks
10-28-2014 06:32 AM
When I initially read your post I must have been confused about the direction that you applied the access list. You are correct that if a pc at 10.0.184.50 pings to 10.0.3.1 then in the response packet the source address will be 10.0.3.1. Would I be correct in assuming that the pc is connected to switch 1? If it gets response when pinging 10.0.3.1 and 10.0.3.2 but not from 10.0.3.3 then it suggests that there is some issue in the connection between the switches. Can you post the output of show standby from both switches?
HTH
Rick
10-28-2014 03:25 PM
I don't think below same identity number can be used i.e.
standby 0 priority 200
standby 0 ip
standby 0 can't be used for every vlan.
10-29-2014 09:55 AM
Hi Rick
Sorry for the confusion . I did some changes like VLAN ID and the groupname (indicated in bold ) .The previous VLAN ID was 202 but the IP address was same . Groupname was 0 and now it id 184 .
Sw1
interface Vlan200
ip address 10.0.3.2 255.255.255.0
standby 0 priority 200
standby 0 ip 10.0.3.1
interface Vlan201
ip address 10.0.5.2 255.255.255.0
standby 0 priority 200
standby 0 ip 10.0.5.1
interface Vlan184
ip address 10.0.184.2 255.255.255.0
ip access-group testaccess out
standby 184 ip 10.0.184.1
standby 184 priority 200
standby 184 preempt
Sw2
interface Vlan200
ip address 10.0.3.3 255.255.255.0
standby 0 priority 50
standby 0 ip 10.0.3.1
interface Vlan201
ip address 10.0.5.3 255.255.255.0
standby 0 priority 50
standby 0 ip 10.0.5.1
interface Vlan184
ip address 10.0.184.3 255.255.255.0
ip access-group testaccess out
standby 184 ip 10.0.184.1
standby 184 priority 50
standby 184 preempt
Access list on Sw1 and Sw2
ip access-list extended testaccess
deny ip 10.0.0.0 0.0.63.255 10.0.184.0 0.0.0.255
permit ip any any
Spanning tree
Sw1
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 184 4096
Sw2
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 184 0
Sw1#sh standby vlan 184
Vlan184 - Group 184
State is Active
12 state changes, last state change 00:00:09
Virtual IP address is 10.0.184.1
Active virtual MAC address is 0000.0c07.acb8
Local virtual MAC address is 0000.0c07.acb8 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.128 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 200 (configured 200)
Group name is "hsrp-Vl184-184" (default)
Sw2#sh standby vlan 184
Vlan184 - Group 184
State is Standby
19 state changes, last state change 00:00:22
Virtual IP address is 10.0.184.1
Active virtual MAC address is 0000.0c07.acb8
Local virtual MAC address is 0000.0c07.acb8 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.360 secs
Preemption enabled
Active router is 10.0.184.2, priority 200 (expires in 8.304 sec)
Standby router is local
Priority 50 (configured 50)
Group name is "hsrp-Vl184-184" (default)
Rick asked
" Would I be correct in assuming that the pc is connected to switch 1 ? "
Please see the toplogy diagram attached
I shutdown the interface vlan 184 on the Sw1 , then the access list is working as expected meaning i can't ping.
Thank you for your support
10-29-2014 11:22 AM
Thank you for the additional information. The drawing seems to show the PC connected to both switch1 and to switch2. How does that work?
The output of show standby is interesting. Clearly switch2 has heard from switch1 and knows about switch1. But switch1 does not seem to know about switch2
switch1 output
Active router is local
Standby router is unknown
switch2 output
Active router is 10.0.184.2, priority 200 (expires in 8.304 sec)
Standby router is local
HTH
Rick
10-29-2014 12:01 PM
Hi Rick
"You said
The drawing seems to show the PC connected to both switch1 and to switch2. How does that work? "
On the Sw3( where pc connected , let me call sw3) spanning tree is pvst . so the link to sw2 must be in blocking state ? . Please Correct me if i am wrong .
Below is the spanning Tree information on SW1 and Sw2
Sw1
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 184 0
Sw2
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 184 4096
" The output of show standby is interesting. Clearly switch2 has heard from switch1 and knows about switch1. But switch1 does not seem to know about switch2 "
Q . What could be the problem ?
Q. Does it impact the access list on sw1 ?
Thanks again
10-29-2014 12:10 PM
Hi Rick
One thing came to my mind. The reason behind the standby router is unknown ,May be on Sw2 the interface was down when i took show standby . I am not sure
switch1 output
Active router is local
Standby router is unknown
Sorry for the inconvenience
10-29-2014 12:45 PM
Please post latest output of show stand by for the both the switches.
11-01-2014 07:21 PM
Hi
here is the output
Sw1#sh standby vlan 184
Vlan184 - Group 184
State is Active
15 state changes, last state change 00:01:48
Virtual IP address is 10.0.184.1
Active virtual MAC address is 0000.0c07.acb8
Local virtual MAC address is 0000.0c07.acb8 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.200 secs
Preemption enabled
Active router is local
Standby router is 10.0.184.3, priority 50 (expires in 8.240 sec)
Priority 200 (configured 200)
Group name is "hsrp-Vl184-184" (default)
Sw2#sh standby vlan 184
Vlan184 - Group 184
State is Standby
21 state changes, last state change 00:03:24
Virtual IP address is 10.0.184.1
Active virtual MAC address is 0000.0c07.acb8
Local virtual MAC address is 0000.0c07.acb8 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.848 secs
Preemption enabled
Active router is 10.0.184.2, priority 200 (expires in 9.312 sec)
Standby router is local
Priority 50 (configured 50)
Group name is "hsrp-Vl184-184" (default)
11-02-2014 05:51 AM
Every thing is working fine , Do you stil have the problem with HSRP ?
11-03-2014 12:26 PM
Hi
I did not have problem with hsrp . the problem was with access list
11-03-2014 08:33 PM
Add below statement in the access-list, it should resolve the problem.
deny ip 10.0.184.0 0.0.0.255 10.0.0.0 0.0.63.255
11-03-2014 09:26 PM
Hi
But deny ip 10.0.0.0 0.0.63.255 10.0.184.0 0.0.0.255 should block (outbound ) . is'nt it
Though i added deny ip 10.0.184.0 0.0.0.255 10.0.0.0 0.0.63.255.But no luck
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide