cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1723
Views
0
Helpful
9
Replies
Tang-Suan Tan
Beginner

Cisco 3750 Switch Problem with IP address

Hi all :

Today when we run one applcation to access a target server with IP address 10.2.2.13, the application cannot run through and appearing error message related networking.

The target server has two network ports whereby another one with IP 10.2.2.14 is running OK with the same application. All these two connections are connected to the same Cisco switch 3750, after the switch then go to Cisco ASA firewall which has no access control rule for this 10.2.2.13 and its subnet, and then the firewall connect directly to the application server.

We can ping, remote desktop access and telent port for the application to the target server by using 10.2.2.13.

We swapped the cable connection of the ports from one another and try the application again, the IP with 10.2.2.13 is still fail and IP with 10.2.2.14 is OK.

We then change the IP from 10.2.2.13 to 10.2.2.12 or 10.2.2.155, all are OK. We changed back to 10.2.2.13, it is failed again.

The switch is in running real time production and so we cannot power cycle or reload the switch. May anybody or Cisco expert can help to clerify the problem and suggested any effective solution so that I can help the production?

Thanks and best regards,

Tan Tang Suan

9 REPLIES 9
dominic.caron
Contributor

So, if you change the IP of the server from .13 to something else, your application can reach you server? The problem if realy with the IP 10.2.2.13?

Check in your ARP table if the MAC for 10.2.2.13 match the one on the server.

Hi Dominic :

Yes, it is only having problem with 10.2.2.13.

The ARP table shows it is matched with the server since ping 10.2.2.13 is OK. When change the IP to other IP address and ping this 10.2.2.13, the result is Request Time Out.

Anyone can help to provide any suggestion on this problem?

Many thanks and best regards,

Tan Tang Suan

Hi all :

After today some work out, I find that the two ethernet ports are not connetected to the same switch. They are connected to two different switches which treats as server redundancy. Sorry for my mistake on my first post.

Below is the MAC and ARP table taken out out from the switch. Please provide any comment or wayout to this porblem. Many thanks!

By the way, this switch also has below access control information, it is a access-group out control. I wonder any control on this access control, can anybody give comment or explanation on this access-control? This is because the vlan 101 can be a layer 2 vlan and so it uses to control also other subnet. The problem is this is an access-group out, may anybody explain the control because I do not know much about access-group out control function.

Thnaks!

Warmest regards,

Tan Tang Suan

Access control in the switch:

interface Vlan101

ip address 10.2.2.252 255.255.252.0

ip access-group 101 out

no ip proxy-arp

standby 1 ip 10.2.2.251

!

ip default-gateway 10.2.2.251

ip classless

no ip http server

!

access-list 101 permit ip 10.1.0.0 0.0.0.255 any

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

access-list 101 permit ip 10.1.2.0 0.0.0.255 any

access-list 101 permit udp any any eq domain

CCCSW131b>show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
All    0100.0ccc.cccc    STATIC      CPU
All    0100.0ccc.cccd    STATIC      CPU
All    0180.c200.0000    STATIC      CPU
All    0180.c200.0001    STATIC      CPU
All    0180.c200.0002    STATIC      CPU
All    0180.c200.0003    STATIC      CPU
All    0180.c200.0004    STATIC      CPU
All    0180.c200.0005    STATIC      CPU
All    0180.c200.0006    STATIC      CPU
All    0180.c200.0007    STATIC      CPU
All    0180.c200.0008    STATIC      CPU
All    0180.c200.0009    STATIC      CPU
All    0180.c200.000a    STATIC      CPU
All    0180.c200.000b    STATIC      CPU
All    0180.c200.000c    STATIC      CPU
All    0180.c200.000d    STATIC      CPU
All    0180.c200.000e    STATIC      CPU
All    0180.c200.000f    STATIC      CPU
All    0180.c200.0010    STATIC      CPU
All    ffff.ffff.ffff    STATIC      CPU
101    0000.0c07.ac01    DYNAMIC     Gi1/0/2
101    0018.8b3e.da94    DYNAMIC     Gi1/0/2
101    0018.8b3e.da96    DYNAMIC     Gi1/0/3
101    0018.8b3e.de23    DYNAMIC     Gi1/0/2
101    0018.8b3e.de25    DYNAMIC     Gi1/0/4
101    001a.6d8f.8302    DYNAMIC     Gi1/0/2
101    001a.6d8f.8342    DYNAMIC     Gi1/0/2
101    001b.2109.37ae    DYNAMIC     Gi1/0/9
101    001b.2109.37af    DYNAMIC     Gi1/0/2
101    001b.2109.38b0    DYNAMIC     Gi1/0/10
101    001b.2109.38b1    DYNAMIC     Gi1/0/2
101    001b.54eb.f6a9    DYNAMIC     Gi1/0/2
101    001d.091e.7a9f    DYNAMIC     Gi1/0/2
101    001d.091e.82f9    DYNAMIC     Gi1/0/2
101    0026.b983.0b0c    DYNAMIC     Gi1/0/2
101    0026.b983.5eb1    DYNAMIC     Gi1/0/2
101    00e0.ad02.2c90    DYNAMIC     Gi1/0/2
101    00e0.ad02.b200    DYNAMIC     Gi1/0/5
101    a4ba.db28.9e7f    DYNAMIC     Gi1/0/2
101    b8ac.6f8b.7e90    DYNAMIC     Gi1/0/2
101    b8ac.6f8b.7e92    DYNAMIC     Gi1/0/2
Total Mac Addresses for this criterion: 41

CCCSW131b#sh ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.1.0.11               0   0013.7269.4aab  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.10               0   0004.23d8.1a83  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.11               0   0004.23d8.1a62  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.10               0   0013.7269.6f95  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.9                0   0013.7269.6f94  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.8                0   0004.23d8.16b7  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.9                0   0004.23d8.1a82  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.8                0   0013.7269.6d3f  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.15               0   0013.7262.18aa  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.14               0   0004.23d8.189b  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.14               0   001b.2109.37af  ARPA   Vlan101

Internet  10.1.1.15               0   0004.23d8.1b18  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.14               0   0013.7269.6fbc  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.15               0   001b.2109.38b0  ARPA   Vlan101

Internet  10.1.1.12               0   0004.23d8.1a63  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.13               0   0013.7269.6fbb  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.12               0   0013.7269.4aac  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.13               0   0004.23d8.189a  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.13               0   001b.2109.37ae  ARPA   Vlan101

Internet  10.1.2.1                0   0018.8b3e.ddb5  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.2                0   0004.23d8.1a3b  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.3                0   0013.7262.17d0  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.2                0   0018.8b3e.da96  ARPA   Vlan101

Internet  10.1.0.2                0   0013.7265.d8f3  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.3                0   0018.8b3e.de23  ARPA   Vlan101

Internet  10.1.0.1                0   0013.7265.d8f2  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.3                0   0018.8b3e.ddbf  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.2                0   0018.8b3e.ddb7  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.1                0   0004.23d8.1a3a  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.1                0   0018.8b3e.da94  ARPA   Vlan101

Internet  10.1.1.6                0   0004.23d8.16c9  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.7                0   0013.7269.6d3e  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.6                3   00e0.ad02.b200  ARPA   Vlan101

Internet  10.1.0.6                0   0013.7269.6f98  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.4                0   0018.8b3e.ddc1  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.7                0   0004.23d8.16b6  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.5                0   0013.7269.6f97  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.4                0   0018.8b3e.de25  ARPA   Vlan101

Internet  10.1.1.5                0   0004.23d8.16c8  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.4                0   0013.7262.17d1  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.27               0   0013.7269.6d2f  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.26               0   0004.23d8.1a73  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.26               0   0013.7269.6fb6  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.27               0   0004.23d8.1cc6  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.25               0   0013.7269.6fb5  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.24               0   0004.23d8.16bd  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.24               0   0013.7269.7200  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.25               0   0004.23d8.1a72  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.31               0   0013.7269.5fff  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.30               0   000e.0cb6.8e25  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.30               0   0013.7269.60e0  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.29               0   0013.7269.60df  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.28               0   0004.23d8.1cc7  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.28               0   0013.7269.6d30  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.29               0   000e.0cb6.8e24  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.18               0   0004.23d8.1a5b  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.19               0   0013.7269.4acc  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.18               0   0013.7265.1986  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.19               0   0004.23d8.2266  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.17               0   0013.7265.1985  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.16               0   0004.23d8.1b19  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.16               0   001b.2109.38b1  ARPA   Vlan101

Internet  10.1.1.17               0   0004.23d8.1a5a  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.16               0   0013.7262.18ab  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.23               0   0013.7269.71ff  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.21               0   0018.8b3e.de14  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.22               0   0004.23d8.16af  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.23               0   b8ac.6f8b.7e90  ARPA   Vlan101

Internet  10.1.0.22               0   0013.7269.4ad0  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.23               0   0004.23d8.16bc  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.21               0   0013.7269.4acf  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.20               0   0004.23d8.2267  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.20               0   0013.7269.4acd  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.22               0   0018.8b3e.de16  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.21               0   0004.23d8.16ae  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.42               0   0004.23d7.fb83  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.43               0   0004.23d7.fb9c  ARPA   GigabitEthernet1/0/1

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.1.1.40               0   000e.0cd8.267d  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.41               0   0004.23d7.fb82  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.46               0   0004.23d7.fbe5  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.47               0   0004.23d7.fe34  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.44               0   0004.23d7.fb9d  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.45               0   0004.23d7.fbe4  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.35               0   782b.cb47.5f99  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.34               0   782b.cb47.554a  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.35               0   000e.0cd8.24c4  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.33               0   782b.cb47.5548  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.32               0   0013.7269.6000  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.38               0   000e.0cd8.2571  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.39               0   000e.0cd8.267c  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.36               0   782b.cb47.5f9b  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.37               0   000e.0cd8.2570  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.62               0   000e.0cd8.25f3  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.63               3   0019.b922.0360  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.61               0   000e.0cd8.25f2  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.50               0   000e.0cd8.25f9  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.48               0   0004.23d7.fe35  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.49               0   000e.0cd8.25f8  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.72               0   000e.0cd8.24bb  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.71               0   000e.0cd8.24ba  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.82               0   000e.0cd8.26a7  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.81               0   000e.0cd8.26a6  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.111              0   0004.23d7.fba6  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.122              0   000e.0cb6.8dbb  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.123              0   000e.0cd8.268c  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.121              0   000e.0cb6.8dba  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.126              0   000e.0cd8.25e1  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.124              0   000e.0cd8.268d  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.125              0   000e.0cd8.25e0  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.114              0   0004.23d7.fb9f  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.115              0   000e.0cd8.268e  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.112              0   0004.23d7.fba7  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.113              0   0004.23d7.fb9e  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.116              0   000e.0cd8.268f  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.142              0   000e.0cb6.8e09  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.143              0   001b.2198.f0fc  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.141              0   000e.0cb6.8e08  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.131              0   0004.23e0.17b4  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.134              0   000e.0cd8.24b9  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.132              0   0004.23e0.17b5  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.133              0   000e.0cd8.24b8  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.154              0   000e.0cd8.24d7  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.155              0   001b.217b.c998  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.152              0   000e.0cd8.255d  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.153              0   000e.0cd8.24d6  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.158              0   001b.217b.c997  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.159              0   001b.2198.f03c  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.156              0   001b.217b.c999  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.157              0   001b.217b.c996  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.146              0   001b.217b.c69d  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.144              0   001b.2198.f0fd  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.145              0   001b.217b.c69c  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.151              0   000e.0cd8.255c  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.160              0   001b.2198.f03d  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.202             47   0026.51e6.4bc0  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.204             45   001a.a230.e8c0  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.206             43   001a.a10b.5e40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.216              4   001a.a230.5000  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.218            145   001a.a230.6680  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.220            204   0019.e706.63c0  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.222              0   001a.a228.7840  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.208            230   001a.a10b.5580  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.210             25   001a.a10b.9c40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.212            146   001a.a201.c380  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.214            147   001a.a230.79c0  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.232             82   001a.a228.49c0  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.234            147   001a.a228.7f40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.236             90   001a.a228.2a40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.238            100   b862.1f0b.8d40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.224            219   001a.6d45.0f40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.226            145   001a.a26f.d780  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.228            145   001a.a230.5100  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.230            213   40f4.ec99.7f40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.252              -   001a.6d8f.8bc1  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.252              -   001a.6d8f.8bc2  ARPA   Vlan101

Hello Tang-Suan,

the ACL is applied under the L3 interface SVI vlan101.

The ACL applies only to routed traffic coming from other IP subnets to 10.2.2.0/22.

It does not apply to traffic within vlan 101 within IP subnet 10.2.0.0/22.

Please note that you have a 255.255.252.0 /22 subnet mask not /24

The ACL allows traffic from 10.1.0.0/24 or from 10.1.1.0/24 to reach hosts in subnet 10.2.0.0/22

Also there is a line for traffic from 10.2.2.0/24 to any that should never match

At the end DNS queries/replies are allowed.

So you need to pay attention to the actual subnet masks used in your network.

Edit:

modified base subnet with correct 10.2.0.0/22 instead of 10.2.2.0/22

Hope to help

Giuseppe

Hi Giuseppe and all :

Thanks to your reply!

I have few points need to clerify with you from your answer :

1. You mentioned "Also there is a line for traffic from 10.2.2.0/24 to any that should never match" in your answer, what does it mean? Can you explain it more directly? Thanks!

2. If I put a host with IP 10.2.2.13/22 with gateway of 10.2.2.251, is the traffic to and from this host can go through?

3. If I put a host with IP 10.2.2.13/24 with gateway of 10.2.2.251, is the traffic to and from this host can go through?

4. Will the access-list blocks all the traffics beside 10.1.0.0/24, 10.1.1.0/24, 10.1.2.0/24 and all other IP address with UDP DNS traffic only?

5. If this Vlan 101 already set with IP of 10.2.2.252/22, isn't it only accept traffic with 10.2.2.252/22 rather other traffic from 10.1.0.0/24, 10.1.1.0/24 or 10.1.2.0/24 even though the access-list set all these subnets can go through?

Many thanks!

Warmest regards,

Tan Tang Suan

Hi all :

Sorry I made a mistake from my reply above :

At #5,  If this Vlan 101 already set with IP of 10.2.2.252/22, isn't it only accept traffic with 10.2.2.252/22 rather other traffic from 10.1.0.0/24, 10.1.1.0/24 or 10.1.2.0/24 even though the access-list set all these subnets can go through?

The traffic can be accept should change from 10.2.2.252/22 to 10.2.0.0/252. Correct me if I am wrong.

The main point of this question 5 is doubt about other traffics beside this 10.2.0.0/252 can pass through the vlan 101 since the vlan interface already set to 10.2.2.252/22 (which is in the range of 10.2.0.0/22 to 10.2.3.254/22). Correct me if I am wrong.

Thanks!

Warmest regards,

Tan Tang Suan

Hello Tang-Suan,

I try to answer to your last questions but you need to improve your knowledge baae about IP subnetting, subnet mask and prefix-len notations.

>> 1 You mentioned "Also there is a line for traffic from 10.2.2.0/24 to any that should never match" in your answer, what does it mean? Can you explain it more directly? Thanks!

The ACL is applied outbound SVI interface Vlan 101, this means that this ACL processes routed traffic coming from other IP subnets when the packets have to be sent to hosts in 10.2.2.0/22.

The typical packet will be

IP SA = x.x.x.x  IP DA = 10.2.0-3.Y

in no case an IP packet with source belonging to 10.2.2.0/24 that is contained in 10.2.0.0/22 should be processed by the ACL. This is the meaning of this line should have no match.

IP address and subnet mask

SVI Vlan 101 has assigned IP address 10.2.2.252 with subnet mask 255.255.252.0

the base address is 10.2.0.0/22 and the range of possible IP addresses is

10.2.0.1 - 10.2.3.255

I made an error in my first response the IP subnet is 10.2.0.0/22 and not 10.2.2.0/22

What I wanted to point out is the IP subnet mask is different from the wildcard mask that you have used in the ACL

0.0.0.255 means /24

the equivalent of 255.255.252.0  is a wildcard mask of 0.0.3.255

So the message is take care of actual subnet masks in writing the ACLs otherwise your ACL can block legitimate traffic.

>> 2. If I put a host with IP 10.2.2.13/22 with gateway of 10.2.2.251, is the traffic to and from this host can go through?

There is no limitation on what traffic the host can send  ( no ACL applied inbound on SVI vlan101), there is a limitation on what traffic can reach the host from other IP subnets:

only traffic from 10.1.0.0/24 and 10.1.1.0/24 can reach the host in addition to traffic of the SAME IP subnet that is not processed by the same ACL

The host can exchange DNS messages with any other IP address

>> 4. Will the access-list blocks all the traffics beside 10.1.0.0/24, 10.1.1.0/24, 10.1.2.0/24 and all other IP address with UDP DNS traffic only?

Answered above

>> If this Vlan 101 already set with IP of 10.2.2.252/22, isn't it only accept traffic with 10.2.2.252/22 rather other traffic from 10.1.0.0/24, 10.1.1.0/24 or 10.1.2.0/24 even though the access-list set all these subnets can go through?

Again the access-list is applied in the direction from backbone to users in Vlan not the opposite. So the ACL is not limiting what traffic can go out of the IP subnet but what traffic can reach the IP subnet. Think of the SVI as an additional host in L2 Vlan 101 oackets exiting the SVI are directed to hosts in the Vlan.

By the way. a router or switch can accept traffic sourced by an IP address that does not belong to connected IP subnet.

I f you want to implement anti spoofing ACL you need to configure an ACL to be applied inbound (= IN)

like

access-list 112 permit ip 10.2.0.0 0.0.3.255 any

access-list 112 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps

int vlan 101

ip access-group 112 in

This is an example of anti spoofing ACL with second line allowing for DHCP requests from initializing clients

EDit:

>>The traffic can be accept should change from 10.2.2.252/22 to 10.2.0.0/252. Correct me if I am wrong.

the correct notations are:

10.2.0.0/22  or 10.2.0.0 255.255.252.0

the notation

10.2.0.0/252 does not exist.

As explained an anti spoofing behaviour ( accepting traffic only with source IP address = connected IP subnet) is not automatically performed by device.

This protection can be added or by using an anti-spoofing ACL applied inbound (in ) on the SVI interface or in other way via uRPF.

In any case to go back to the original issue of this thread, from what IP addresses you have tried to reach the server 10.2.2.13?

The applied ACL allows only DNS and traffic from 10.1.0.0/24 and 10.1.1.0/24, traffic within 10.2.0.0/22 bypasses this ACL ( is directly connected so L2 switching occcurs within an IP subnet)

Hope to help

Giuseppe

Hi Giuseppe and all :

Firstly, Giuseppe, thanks to your reply.

You have corrected that 10.2.0.0/252 to 10.2.0.0/22 which I think I have made a typo error of typing 252 instaed of 22, thanks!

Back to the source of problem that actually I used a server before a firewall with IP of 172.16.3.1/25 to access the 10.2.2.13/22, 10.2.2.14/22, 10.2.2.15/22 and 10.2.2.16/22.

All of them when testing with ping, telnet port and remore desktop are OK by this source addres of 172.16.3.1.

Strange thing is the application only having problem with 10.2.2.13.

I intend to restart the switch (that is possible course but I am not sure) but it will affect the production. The firewall has already set the necessary allowed rules (NAT rule as well) and ports.

Do you or any body faces the similar  problem and manage to this type of problem effectively?

Many thanks!

Best regard

TangSuan Tan

Hi all :

After today some work out, I find that the two ethernet ports are not connetected to the same switch. They are connected to two different switches which treats as server redundancy. Sorry for my mistake on my first post.

Below is the ARP and MAC table taken out out from the switch. Please provide any comment or wayout to this porblem. Many thanks!

CCCSW131b#sh ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.1.0.11               0   0013.7269.4aab  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.10               0   0004.23d8.1a83  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.11               0   0004.23d8.1a62  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.10               0   0013.7269.6f95  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.9                0   0013.7269.6f94  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.8                0   0004.23d8.16b7  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.9                0   0004.23d8.1a82  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.8                0   0013.7269.6d3f  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.15               0   0013.7262.18aa  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.14               0   0004.23d8.189b  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.14               0   001b.2109.37af  ARPA   Vlan101

Internet  10.1.1.15               0   0004.23d8.1b18  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.14               0   0013.7269.6fbc  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.15               0   001b.2109.38b0  ARPA   Vlan101

Internet  10.1.1.12               0   0004.23d8.1a63  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.13               0   0013.7269.6fbb  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.12               0   0013.7269.4aac  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.13               0   0004.23d8.189a  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.13               0   001b.2109.37ae  ARPA   Vlan101

Internet  10.1.2.1                0   0018.8b3e.ddb5  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.2                0   0004.23d8.1a3b  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.3                0   0013.7262.17d0  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.2                0   0018.8b3e.da96  ARPA   Vlan101

Internet  10.1.0.2                0   0013.7265.d8f3  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.3                0   0018.8b3e.de23  ARPA   Vlan101

Internet  10.1.0.1                0   0013.7265.d8f2  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.3                0   0018.8b3e.ddbf  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.2                0   0018.8b3e.ddb7  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.1                0   0004.23d8.1a3a  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.1                0   0018.8b3e.da94  ARPA   Vlan101

Internet  10.1.1.6                0   0004.23d8.16c9  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.7                0   0013.7269.6d3e  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.6                3   00e0.ad02.b200  ARPA   Vlan101

Internet  10.1.0.6                0   0013.7269.6f98  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.4                0   0018.8b3e.ddc1  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.7                0   0004.23d8.16b6  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.5                0   0013.7269.6f97  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.4                0   0018.8b3e.de25  ARPA   Vlan101

Internet  10.1.1.5                0   0004.23d8.16c8  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.4                0   0013.7262.17d1  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.27               0   0013.7269.6d2f  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.26               0   0004.23d8.1a73  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.26               0   0013.7269.6fb6  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.27               0   0004.23d8.1cc6  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.25               0   0013.7269.6fb5  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.24               0   0004.23d8.16bd  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.24               0   0013.7269.7200  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.25               0   0004.23d8.1a72  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.31               0   0013.7269.5fff  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.30               0   000e.0cb6.8e25  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.30               0   0013.7269.60e0  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.29               0   0013.7269.60df  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.28               0   0004.23d8.1cc7  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.28               0   0013.7269.6d30  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.29               0   000e.0cb6.8e24  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.18               0   0004.23d8.1a5b  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.19               0   0013.7269.4acc  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.18               0   0013.7265.1986  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.19               0   0004.23d8.2266  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.17               0   0013.7265.1985  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.16               0   0004.23d8.1b19  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.16               0   001b.2109.38b1  ARPA   Vlan101

Internet  10.1.1.17               0   0004.23d8.1a5a  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.16               0   0013.7262.18ab  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.23               0   0013.7269.71ff  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.21               0   0018.8b3e.de14  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.22               0   0004.23d8.16af  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.23               0   b8ac.6f8b.7e90  ARPA   Vlan101

Internet  10.1.0.22               0   0013.7269.4ad0  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.23               0   0004.23d8.16bc  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.21               0   0013.7269.4acf  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.20               0   0004.23d8.2267  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.20               0   0013.7269.4acd  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.22               0   0018.8b3e.de16  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.21               0   0004.23d8.16ae  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.42               0   0004.23d7.fb83  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.43               0   0004.23d7.fb9c  ARPA   GigabitEthernet1/0/1

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.1.1.40               0   000e.0cd8.267d  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.41               0   0004.23d7.fb82  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.46               0   0004.23d7.fbe5  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.47               0   0004.23d7.fe34  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.44               0   0004.23d7.fb9d  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.45               0   0004.23d7.fbe4  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.35               0   782b.cb47.5f99  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.34               0   782b.cb47.554a  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.35               0   000e.0cd8.24c4  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.33               0   782b.cb47.5548  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.32               0   0013.7269.6000  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.38               0   000e.0cd8.2571  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.39               0   000e.0cd8.267c  ARPA   GigabitEthernet1/0/1

Internet  10.1.0.36               0   782b.cb47.5f9b  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.37               0   000e.0cd8.2570  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.62               0   000e.0cd8.25f3  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.63               3   0019.b922.0360  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.61               0   000e.0cd8.25f2  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.50               0   000e.0cd8.25f9  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.48               0   0004.23d7.fe35  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.49               0   000e.0cd8.25f8  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.72               0   000e.0cd8.24bb  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.71               0   000e.0cd8.24ba  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.82               0   000e.0cd8.26a7  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.81               0   000e.0cd8.26a6  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.111              0   0004.23d7.fba6  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.122              0   000e.0cb6.8dbb  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.123              0   000e.0cd8.268c  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.121              0   000e.0cb6.8dba  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.126              0   000e.0cd8.25e1  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.124              0   000e.0cd8.268d  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.125              0   000e.0cd8.25e0  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.114              0   0004.23d7.fb9f  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.115              0   000e.0cd8.268e  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.112              0   0004.23d7.fba7  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.113              0   0004.23d7.fb9e  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.116              0   000e.0cd8.268f  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.142              0   000e.0cb6.8e09  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.143              0   001b.2198.f0fc  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.141              0   000e.0cb6.8e08  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.131              0   0004.23e0.17b4  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.134              0   000e.0cd8.24b9  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.132              0   0004.23e0.17b5  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.133              0   000e.0cd8.24b8  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.154              0   000e.0cd8.24d7  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.155              0   001b.217b.c998  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.152              0   000e.0cd8.255d  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.153              0   000e.0cd8.24d6  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.158              0   001b.217b.c997  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.159              0   001b.2198.f03c  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.156              0   001b.217b.c999  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.157              0   001b.217b.c996  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.146              0   001b.217b.c69d  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.144              0   001b.2198.f0fd  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.145              0   001b.217b.c69c  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.151              0   000e.0cd8.255c  ARPA   GigabitEthernet1/0/1

Internet  10.1.1.160              0   001b.2198.f03d  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.202             47   0026.51e6.4bc0  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.204             45   001a.a230.e8c0  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.206             43   001a.a10b.5e40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.216              4   001a.a230.5000  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.218            145   001a.a230.6680  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.220            204   0019.e706.63c0  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.222              0   001a.a228.7840  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.208            230   001a.a10b.5580  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.210             25   001a.a10b.9c40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.212            146   001a.a201.c380  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.214            147   001a.a230.79c0  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.232             82   001a.a228.49c0  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.234            147   001a.a228.7f40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.236             90   001a.a228.2a40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.238            100   b862.1f0b.8d40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.224            219   001a.6d45.0f40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.226            145   001a.a26f.d780  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.228            145   001a.a230.5100  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.230            213   40f4.ec99.7f40  ARPA   GigabitEthernet1/0/1

Internet  10.1.2.252              -   001a.6d8f.8bc1  ARPA   GigabitEthernet1/0/1

Internet  10.2.2.252              -   001a.6d8f.8bc2  ARPA   Vlan101