cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3059
Views
0
Helpful
6
Replies

Active ACL on VLAN interface is not allowing traffic as it should

rbos
Level 1
Level 1

Hi everyone,

I am building up a single-router (c877w) environment with multiple VLAN's to seperate traffic and block traffic from one VLAN into the other.

To make it easy to understand I'll start with parts of the active configuration:

ip inspect name standard tcp
ip inspect name standard icmp
ip inspect name standard ftp
ip inspect name standard udp


!
interface FastEthernet1
description "Server LAN #1"
switchport access vlan 120
spanning-tree portfast
!
interface FastEthernet2
description "Server LAN #2"
switchport access vlan 120
spanning-tree portfast
!
interface FastEthernet3
description "Management LAN"
switchport access vlan 110
spanning-tree portfast


!
interface Vlan110
description "Management LAN"
ip address 172.100.1.1 255.255.255.0
ip access-group 110 in
ip inspect standard out
no autostate
!
interface Vlan120
description "Server LAN"
ip address 172.100.2.1 255.255.255.0
ip access-group 120 in
ip inspect standard out
no autostate


access-list 110 remark ---MANAGEMENT LAN---

access-list 110 permit ip 172.100.1.0 0.0.0.255 any
access-list 110 permit udp any eq bootpc host 172.100.1.1
access-list 110 deny   ip any any log
access-list 120 remark ---SERVER LAN---
access-list 120 permit ip 172.100.1.0 0.0.0.255 any

access-list 120 permit ip 172.100.2.0 0.0.0.255 any
access-list 120 permit udp any eq bootpc host 172.100.2.1
access-list 120 deny   ip any any log

Currently, I have one host connected to fa0/1 and one to fa0/3. What I want is that the management network (172.100.1.0) is able to access the server network (172.100.2.0) but not backwards, so the server network can only access it's own network and the default gateway for internet.

With the ACL's as they are now, I can't send pings across both hosts, tho I configured an allow at ACL120 for the management network.

When I remove the ACL's from the VLAN interface, traffic is allowed, so that should be alright.

Furthermore, I added the udp rule to both ACL's because I was unable to receive an IP address for both hosts (I configured two DHCP pools on this same router for both VLAN's). That ACL rule works! It seems that the ACL is only working from the physical interface to the VLAN interface of the router (.1).

As far as I can see (I checked the config multiple times) there's nothing configured "wrong". Maybe I am just missing something or the way I configured this is not the way to add an ACL to VLAN's.

Hopefully someone can help me with this, I already started pulling hairs =X

Thanks!

René

6 Replies 6

Kindly Check Your Router IOS . Might be the IOS issue.

Since the ACL working on physical interface and not working on virtual interface.

I doubt it might be the IOS bug

Thank you

Vijay

Hi Vijay,

Thanks for your fast response!

This is the version I am running:

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(6)T3, RELEASE SOFTWARE (fc2)

Does this say enough to you?

Update: It seems that when I give in a subnet instead of a 'any' source/destination network or host, the rule isn't working correctly. I just tested this by allowing telnet from just one host, subnet or any. Only the any rule worked. In the host/subnet test I used the following rules:


access-list 100 permit tcp host (IP PC) eq telnet host (IP ROUTER)

or

access-list 100 permit tcp (/24 SUBNET PC) 0.0.0.255 eq telnet host (IP ROUTER)

^^^ these rules do NOT work. I get access denied entries in the term mon. The following rule does work:


access-list 100 permit tcp any host (IP ROUTER) eq telnet

That should clear out that the config is ok but something is going wrong (As you stated the IOS).

Thanks again,

René

glen.grant
VIP Alumni
VIP Alumni

  I think your acl 120 is wrong  .  To apply it in the  "In" direction    it has to be written as source which would be any to destination which would be the networks you want to go to .  It appears to backwards .   The "IN" direction on the vlan interface is traffic coming off that subnet towards the router or vlan interface , thus you would have  "any" to  "subnet"  in the acls.

Hi,

Ok, that is making sense somehow. But that means I can't control the access to the VLAN interface, only from the VLAN to.. networks.

Maybe if I added the access-list as 'out' instead of 'in'?

If you see my point I don't want to configure what networks are available to the VLAN interface, but what networks are able to go to the VLAN interface :-)

I think we're getting somewhere tho! Hopefully there's a solution for this :-)

René

  Rewrite the acl and apply it in the "out" direction ...

Thanks! I'm going to try it tomorrow

René

Review Cisco Networking for a $25 gift card