cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
68613
Views
16
Helpful
9
Replies

Access-lists on VLAN Interfaces!

fntowo2009
Level 1
Level 1

Hello,

I have 2 core switches interconnected with two trunks. On both switches, there are 5 virtual interfaces for 5 VLANs. HSRP runs on the switches and an ACL is activated on the SVIs in the inbound direction. When I plug a laptop to a VLAN 200 port on SW1, I can get to the Internet although the ACL should be dropping the packets. Could you please help me figure out what is going on? Below are relevant excerpts of both switch's configurations.

Thanks,

Franc

SW1

interface Vlan100

ip address 10.48.20.2 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 1 ip 10.48.20.1

standby 1 priority 200

standby 1 preempt

!

interface Vlan200

ip address 192.168.2.2 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 2 ip 192.168.2.1

standby 2 priority 200

standby 2 preempt

!

interface Vlan300

ip address 192.168.5.2 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 3 ip 192.168.5.1

standby 3 priority 200

standby 3 preempt

!

interface Vlan400

ip address 192.168.4.2 255.255.255.0

ip access-group acl_Vlan_Filter in

ip helper-address 10.48.20.36

ip helper-address 10.48.20.37

standby 4 ip 192.168.4.1

standby 4 priority 200

standby 4 preempt

!

interface Vlan500

ip address 192.168.3.2 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 5 ip 192.168.3.1

standby 5 priority 200

standby 5 preempt

!

SW2

interface Vlan100

ip address 10.48.20.3 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 1 ip 10.48.20.1

!

interface Vlan200

ip address 192.168.2.3 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 2 ip 192.168.2.1

!

interface Vlan300

ip address 192.168.5.3 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 3 ip 192.168.5.1

!

interface Vlan400

ip address 192.168.4.3 255.255.255.0

ip access-group acl_Vlan_Filter in

ip helper-address 10.48.20.36

ip helper-address 10.48.20.37

standby 4 ip 192.168.4.1

!

interface Vlan500

ip address 192.168.3.3 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 5 ip 192.168.3.1

!

THE ACL IS THE SAME ON BOTH SWITCHES

!

!

ip access-list extended acl_Vlan_Filter

permit udp host 10.48.20.36 any

permit udp host 10.48.20.37 any

permit udp host 10.48.20.40 any

permit udp any any eq 1985

permit udp any any eq domain

permit udp any any eq bootps

permit udp any any eq bootpc

permit tcp any any established

permit tcp 192.168.5.0 0.0.0.255 host 10.48.20.40 eq www

permit tcp 192.168.5.0 0.0.0.255 host 10.48.20.40 eq 389

permit udp 192.168.5.0 0.0.0.255 host 10.48.20.40 eq 389

permit tcp 192.168.5.0 0.0.0.255 host 10.48.20.40 eq 390

permit udp 192.168.5.0 0.0.0.255 host 10.48.20.40 eq 390

permit tcp 192.168.3.0 0.0.0.255 host 10.48.20.40 eq www

permit tcp 192.168.3.0 0.0.0.255 host 10.48.20.40 eq 389

permit udp 192.168.3.0 0.0.0.255 host 10.48.20.40 eq 389

permit tcp 192.168.3.0 0.0.0.255 host 10.48.20.40 eq 390

permit udp 192.168.3.0 0.0.0.255 host 10.48.20.40 eq 390

permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 10.48.20.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

deny   ip 10.48.20.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 192.168.5.0 0.0.0.255 10.48.20.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255

deny   ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

deny   ip 10.48.20.0 0.0.0.255 192.168.3.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 10.48.20.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

deny   ip 192.168.2.0 0.0.0.255 any                                    !!! Should block all outbound packets not explicitly permited above

permit ip any any

9 Replies 9

Thiyagu VG
Level 1
Level 1

Along with "ip access-group acl_Vlan_Filter in"

You can try "ip access-group acl_Vlan_Filter out"

From the User, the ACL is for Out Traffic.

While going Out, it check the Src IP and denies,

While coming In, it check the Src IP and it is not 192.168.2.0 0.0.0.255 any so Allowed and you are able to Access Internet.

Regards,

ThiyaguVG.

Vivek Ganapathi
Level 4
Level 4

Your ACL looks fine to me. This should be applied in "inbound". The in direction is for traffic coming from clients on that specific vlan.

Now a thing i would like to know. What is 10.48.20.40 ? Is it a proxy server?

Vivek

fntowo2009
Level 1
Level 1

Hi all,

Thanks for your feedback!

I agree with Vivek that the direction is correct. Anyway, I had a troubleshooting session with Cisco this morning. unfortunately, we still couldn't figure out why the ACL was not matching the traffic. we edited the ACL and created additional ones to no avail... So, the Cisco engineer asked for the tech reports to investigate the issue in their lab.

Btw, 10.48.20.40 is a mail server...

Thanks,

Francois

Did you solve this problem?

usmantaokeer
Level 1
Level 1

The direction "In/Out" is in respect to the router and not interface, i.e traffic coming IN our leaving the router, in case of Virtual interface try the ACL in OUT direction and it should work.

Hello

You acl is too convoluted for the 5 svi's - you should have specific acl for each vlan.

Also you have applied the acl in the WRONG direction

 

SVI racls logic-

IN = originating from within the vlan going out
OUT = originating from outside the vlan going into the vlan

 

Can you clarify what you are trying to achieve please?

 

res
Paul

 

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I have a quick question - There is a global command that I can't find right now - it is applied so that you can test your Access-lists from the SVI IP address.  

Would you happen to know the command?

I know access-lists are normally not in play for the IP on the SVI - but this helps with testing.

I've used it before - but just can't get my fingers on it now.

 


Thanks

Hello 

Humm .. In ASA FWs you have a feature called packet tracer but in switches /rtrs 

I am not so sure tbh - however you can initiate a debug on a specific access-list without it even being applied to the interface  which should test the acl to a certain extent

 

Example

Access-list 100 permit tcp host 1.1.1.1 host 2,2,2,2 eq 23

debug ip packet detail 100

 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Have you tried VACL?

something like this

 

SW1(config)#access-list 100 permit ip any host 192.168.1.100

SW1(config)#vlan access-map NOT-TO-SERVER 10

SW1(config-access-map)#match ip address 100

SW1(config-access-map)#action drop

SW1(config-access-map)#vlan access-map NOT-TO-SERVER 20

SW1(config-access-map)#action forward

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: