02-24-2010 09:06 AM - edited 03-06-2019 09:52 AM
Dear Experts,
I have seen one problem.
Config.
int vlan 4
ip address 10.10.10.1 255.255.255.0
ip access group LEVEL2 in
ip access-list extended LEVEL2
permit ip 10.10.10.0 0.0.0.255 host 172.20.0.18
permit ip 10.10.10.0 0.0.0.255 host 172.20.0.31
permit ip 10.10.10.0 0.0.0.255 host 172.20.0.49
permit ip 10.10.10.0 0.0.0.255 host 172.20.0.84
permit udp any any
I have configured ACL as shown above.
Everything is working fine but two of the servers with ip address 10.10.10.240 and 10.10.10.189 were not communicating with each other.
When I removed ACL , they are communicating each other properly. Same tie I have also checked other two PCs with IP addresses 10.10.10.125 and 10.10.10.130 they are working properyl with ACL.
Can you help me why this happens?
The Problem is resolved by adding
permit ip host 10.10.10.240 host 10.10.10.189
But actually when we apply ACL on Vlan interface tan that vlan memebers are communicating each other . And are happening but only two servers are not.
What could be the reason ?
Please help.
02-24-2010 10:02 AM
Hello Dipesh,
how are the two servers connected?
are they connected to two different access layer switches?
being on the same IP subnet, if they were connected to two ports of the same access layer switch they should be able to talk directly without hitting the ACL.
check if the two servers are configured correctly with the correct subnet mask and default gateway.
with sh ip interface vlan4
check if proxy ARP is enabled
the only way to go to the OSI layer3 of the switch is if one server sends the frames to the MAC address of the SVI otherwise they would be able to talk directly bypassing the ACL.
check the ARP table of the two servers look for the MAC address associated to the other server and compares it with Vlan4 MAC address as reported in sh int vlan4 and with the other server MAC address.
Hope to help
Giuseppe
02-24-2010 10:10 AM
I agree with Guiseppe - the 2 servers in question do not appear to be on the same subnet and are
most likely sending traffic to the default gateway instead of directly connecting
to the server on the same subnet via the MAC address.
To verify this you can add a line to the bottom of your ACL to deny IP any any log - to log the packets and see that the servers are hitting the ACL. If they were on the same subnet they would not hit the ACL.
Rod
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide