Solved: ACL Not Working

Hesham Mohamed El Sayed · ‎01-06-2016

HI

Im trying to block guest VLAN from accessing other VLANS .. i have configured a an ACL to do so under the sub-interface of the Guest but still i can ping and the ACL is not working

Pinging 10.20.4.254 from 10.20.7.254 is successful while it should fail

Do i have something wrong in the configuration ? Any Ideas

Router on a Stick configuration Cisco 1921

!
interface GigabitEthernet0/1.4

description Guest VLAN
encapsulation dot1Q 4
ip address 10.20.4.254 255.255.255.0
ip access-group BlockGuest in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.7
encapsulation dot1Q 7
ip address 10.20.7.254 255.255.255.0
!

!

!
ip access-list extended BlockGuest
deny ip 10.20.7.0 0.0.0.255 10.20.4.0 0.0.0.255
permit ip any any
!

Pinging from a switch with an IP 10.20.7.0 VLAN ,Ping is working while it shouldn't

Sw2#ping 10.20.4.254 source 10.20.7.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.4.254, timeout is 2 seconds:
Packet sent with a source address of 10.20.7.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Sw2#

Running IOS 15.4 on 1921 ISR

Mark Malone · ‎01-06-2016

Not sure if you sorted this but this will work for you as an example just change it to what you need

interface Ethernet0/0.12
encapsulation dot1Q 12
ip address 101.1.123.2 255.255.255.252
ip access-group 101 in
ip access-group 101 out
!
interface Ethernet0/0.13
encapsulation dot1Q 13
ip address 101.1.199.2 255.255.255.252
ip access-group 101 in
ip access-group 101 out

access-list 101 deny ip 101.1.123.0 0.0.0.3 101.1.199.0 0.0.0.3
access-list 101 deny ip 101.1.199.0 0.0.0.3 101.1.123.0 0.0.0.3
access-list 101 permit ip 101.1.123.0 0.0.0.3 any
access-list 101 permit ip 101.1.199.0 0.0.0.3 any
access-list 101 permit ip any any
!

R2#ping 101.1.123.2 source 101.1.199.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.123.2, timeout is 2 seconds:
Packet sent with a source address of 101.1.199.2
.....
Success rate is 0 percent (0/5)
R2#pin 101.1.199.2 source 101.1.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.199.2, timeout is 2 seconds:
Packet sent with a source address of 101.1.123.2
.....
Success rate is 0 percent (0/5)
R2#ping 10.120.99.1 source 101.1.199.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.120.99.1, timeout is 2 seconds:
Packet sent with a source address of 101.1.199.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms

View solution in original post

Mark Malone · ‎01-06-2016

Did you try block it from going outbound on g0/1.7 instead

Hesham Mohamed El Sayed · ‎01-06-2016

Still Pinging ... So weird

!
interface GigabitEthernet0/1.4
encapsulation dot1Q 4
ip address 10.20.4.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.7
encapsulation dot1Q 7
ip address 10.20.7.254 255.255.255.0
ip access-group BlockGuest out

!

!
ip access-list extended BlockGuest
deny ip 10.20.7.0 0.0.0.255 10.20.4.0 0.0.0.255
permit ip any any

!

Sw2#ping 10.20.4.254 source 10.20.7.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.20.4.254, timeout is 2 seconds:
Packet sent with a source address of 10.20.7.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Sw2#

Cisco Freak · ‎01-06-2016

Hi,

Can you please do a traceroute from the device sourcing from guest vlan to make sure that the packet actually goes through the router where you configured the ACL.

core-sw-01#traceroute 1.1.1.1 source 2.2.2.2

CF

Mark Malone · ‎01-06-2016

Not sure if you sorted this but this will work for you as an example just change it to what you need

interface Ethernet0/0.12
encapsulation dot1Q 12
ip address 101.1.123.2 255.255.255.252
ip access-group 101 in
ip access-group 101 out
!
interface Ethernet0/0.13
encapsulation dot1Q 13
ip address 101.1.199.2 255.255.255.252
ip access-group 101 in
ip access-group 101 out

access-list 101 deny ip 101.1.123.0 0.0.0.3 101.1.199.0 0.0.0.3
access-list 101 deny ip 101.1.199.0 0.0.0.3 101.1.123.0 0.0.0.3
access-list 101 permit ip 101.1.123.0 0.0.0.3 any
access-list 101 permit ip 101.1.199.0 0.0.0.3 any
access-list 101 permit ip any any
!

R2#ping 101.1.123.2 source 101.1.199.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.123.2, timeout is 2 seconds:
Packet sent with a source address of 101.1.199.2
.....
Success rate is 0 percent (0/5)
R2#pin 101.1.199.2 source 101.1.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 101.1.199.2, timeout is 2 seconds:
Packet sent with a source address of 101.1.123.2
.....
Success rate is 0 percent (0/5)
R2#ping 10.120.99.1 source 101.1.199.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.120.99.1, timeout is 2 seconds:
Packet sent with a source address of 101.1.199.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/5 ms

Hesham Mohamed El Sayed · ‎01-06-2016

for some reason the ACL had to be applied on the 10.20.7.0 interface, not the one in trying to block traffic to the 10.20.4.0

it makes no sense but now its working fine .. Thanks

Mark Malone · ‎01-06-2016

hmm that's strange I only applied it to 2 out of 5 of my sub-ints ,least its working though :)

Jon Marshall · ‎01-07-2016

Appreciate your question is answered but the reason your other attempts didn't work is because in the first example you applied the acl to the wrong interface and in the second example you applied it in the wrong direction.

Think of it like this -

if an acl is applied inbound to an interface then the source IPs will be reachable via that interface ie. they come into the router on that interface, and the destination IPs will be reachable via another interface.

But you had the src IPs as 10.20.7.x and they are not reachable via gi0/1.4 so the acl matched on the permit any any and the ping worked.

If an acl is applied outbound to an interface then the destination IPs are reachable via that interface and the source IPs are reachable via another interface.

When you applied the same acl outbound to gi0/1.7 the destination IPs were 10.20.4.x but they are not reachable via that interface.

If you had applied your original acl either inbound to gi0/1.7 or outbound to gi0/1.4 then it would have worked.

Usually you apply closest to the source IPs so you would normally apply it inbound.

Jon