02-05-2010 06:23 AM - edited 03-06-2019 09:35 AM
Hi everyone,
I am building up a single-router (c877w) environment with multiple VLAN's to seperate traffic and block traffic from one VLAN into the other.
To make it easy to understand I'll start with parts of the active configuration:
ip inspect name standard tcp
ip inspect name standard icmp
ip inspect name standard ftp
ip inspect name standard udp
!
interface FastEthernet1
 description "Server LAN #1"
 switchport access vlan 120
 spanning-tree portfast
!
interface FastEthernet2
 description "Server LAN #2"
 switchport access vlan 120
 spanning-tree portfast
!
interface FastEthernet3
 description "Management LAN"
 switchport access vlan 110
 spanning-tree portfast
!
interface Vlan110
 description "Management LAN"
 ip address 172.100.1.1 255.255.255.0
 ip access-group 110 in
 ip inspect standard out
 no autostate
!
interface Vlan120
 description "Server LAN"
 ip address 172.100.2.1 255.255.255.0
 ip access-group 120 in
 ip inspect standard out
 no autostate
access-list 110 remark ---MANAGEMENT LAN---
access-list 110 permit ip 172.100.1.0 0.0.0.255 any
access-list 110 permit udp any eq bootpc host 172.100.1.1
access-list 110 deny   ip any any log
access-list 120 remark ---SERVER LAN---
access-list 120 permit ip 172.100.1.0 0.0.0.255 any
access-list 120 permit ip 172.100.2.0 0.0.0.255 any
access-list 120 permit udp any eq bootpc host 172.100.2.1
access-list 120 deny   ip any any log
Currently, I have one host connected to fa0/1 and one to fa0/3. What I want is that the management network (172.100.1.0) is able to access the server network (172.100.2.0) but not backwards, so the server network can only access it's own network and the default gateway for internet.
With the ACL's as they are now, I can't send pings across both hosts, tho I configured an allow at ACL120 for the management network.
When I remove the ACL's from the VLAN interface, traffic is allowed, so that should be alright.
Furthermore, I added the udp rule to both ACL's because I was unable to receive an IP address for both hosts (I configured two DHCP pools on this same router for both VLAN's). That ACL rule works! It seems that the ACL is only working from the physical interface to the VLAN interface of the router (.1).
As far as I can see (I checked the config multiple times) there's nothing configured "wrong". Maybe I am just missing something or the way I configured this is not the way to add an ACL to VLAN's.
Hopefully someone can help me with this, I already started pulling hairs =X
Thanks!
René
02-05-2010 06:54 AM
Kindly Check Your Router IOS . Might be the IOS issue.
Since the ACL working on physical interface and not working on virtual interface.
I doubt it might be the IOS bug
Thank you
Vijay
02-05-2010 06:56 AM
Hi Vijay,
Thanks for your fast response!
This is the version I am running:
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(6)T3, RELEASE SOFTWARE (fc2)
Does this say enough to you?
Update: It seems that when I give in a subnet instead of a 'any' source/destination network or host, the rule isn't working correctly. I just tested this by allowing telnet from just one host, subnet or any. Only the any rule worked. In the host/subnet test I used the following rules:
access-list 100 permit tcp host (IP PC) eq telnet host (IP ROUTER)
or
access-list 100 permit tcp (/24 SUBNET PC) 0.0.0.255 eq telnet host (IP ROUTER)
^^^ these rules do NOT work. I get access denied entries in the term mon. The following rule does work:
access-list 100 permit tcp any host (IP ROUTER) eq telnet
That should clear out that the config is ok but something is going wrong (As you stated the IOS).
Thanks again,
René
02-05-2010 09:01 AM
I think your acl 120 is wrong . To apply it in the "In" direction it has to be written as source which would be any to destination which would be the networks you want to go to . It appears to backwards . The "IN" direction on the vlan interface is traffic coming off that subnet towards the router or vlan interface , thus you would have "any" to "subnet" in the acls.
02-05-2010 09:35 AM
Hi,
Ok, that is making sense somehow. But that means I can't control the access to the VLAN interface, only from the VLAN to.. networks.
Maybe if I added the access-list as 'out' instead of 'in'?
If you see my point I don't want to configure what networks are available to the VLAN interface, but what networks are able to go to the VLAN interface :-)
I think we're getting somewhere tho! Hopefully there's a solution for this :-)
René
02-05-2010 09:56 AM
Rewrite the acl and apply it in the "out" direction ...
02-05-2010 10:02 AM
Thanks! I'm going to try it tomorrow
René
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide