10-17-2012 06:11 AM - edited 03-07-2019 09:31 AM
Hi all :
Today when we run one applcation to access a target server with IP address 10.2.2.13, the application cannot run through and appearing error message related networking.
The target server has two network ports whereby another one with IP 10.2.2.14 is running OK with the same application. All these two connections are connected to the same Cisco switch 3750, after the switch then go to Cisco ASA firewall which has no access control rule for this 10.2.2.13 and its subnet, and then the firewall connect directly to the application server.
We can ping, remote desktop access and telent port for the application to the target server by using 10.2.2.13.
We swapped the cable connection of the ports from one another and try the application again, the IP with 10.2.2.13 is still fail and IP with 10.2.2.14 is OK.
We then change the IP from 10.2.2.13 to 10.2.2.12 or 10.2.2.155, all are OK. We changed back to 10.2.2.13, it is failed again.
The switch is in running real time production and so we cannot power cycle or reload the switch. May anybody or Cisco expert can help to clerify the problem and suggested any effective solution so that I can help the production?
Thanks and best regards,
Tan Tang Suan
10-17-2012 06:36 AM
So, if you change the IP of the server from .13 to something else, your application can reach you server? The problem if realy with the IP 10.2.2.13?
Check in your ARP table if the MAC for 10.2.2.13 match the one on the server.
10-17-2012 07:50 AM
Hi Dominic :
Yes, it is only having problem with 10.2.2.13.
The ARP table shows it is matched with the server since ping 10.2.2.13 is OK. When change the IP to other IP address and ping this 10.2.2.13, the result is Request Time Out.
Anyone can help to provide any suggestion on this problem?
Many thanks and best regards,
Tan Tang Suan
10-18-2012 03:23 AM
Hi all :
After today some work out, I find that the two ethernet ports are not connetected to the same switch. They are connected to two different switches which treats as server redundancy. Sorry for my mistake on my first post.
Below is the MAC and ARP table taken out out from the switch. Please provide any comment or wayout to this porblem. Many thanks!
By the way, this switch also has below access control information, it is a access-group out control. I wonder any control on this access control, can anybody give comment or explanation on this access-control? This is because the vlan 101 can be a layer 2 vlan and so it uses to control also other subnet. The problem is this is an access-group out, may anybody explain the control because I do not know much about access-group out control function.
Thnaks!
Warmest regards,
Tan Tang Suan
Access control in the switch:
interface Vlan101
ip address 10.2.2.252 255.255.252.0
ip access-group 101 out
no ip proxy-arp
standby 1 ip 10.2.2.251
!
ip default-gateway 10.2.2.251
ip classless
no ip http server
!
access-list 101 permit ip 10.1.0.0 0.0.0.255 any
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 10.1.2.0 0.0.0.255 any
access-list 101 permit udp any any eq domain
CCCSW131b>show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
101 0000.0c07.ac01 DYNAMIC Gi1/0/2
101 0018.8b3e.da94 DYNAMIC Gi1/0/2
101 0018.8b3e.da96 DYNAMIC Gi1/0/3
101 0018.8b3e.de23 DYNAMIC Gi1/0/2
101 0018.8b3e.de25 DYNAMIC Gi1/0/4
101 001a.6d8f.8302 DYNAMIC Gi1/0/2
101 001a.6d8f.8342 DYNAMIC Gi1/0/2
101 001b.2109.37ae DYNAMIC Gi1/0/9
101 001b.2109.37af DYNAMIC Gi1/0/2
101 001b.2109.38b0 DYNAMIC Gi1/0/10
101 001b.2109.38b1 DYNAMIC Gi1/0/2
101 001b.54eb.f6a9 DYNAMIC Gi1/0/2
101 001d.091e.7a9f DYNAMIC Gi1/0/2
101 001d.091e.82f9 DYNAMIC Gi1/0/2
101 0026.b983.0b0c DYNAMIC Gi1/0/2
101 0026.b983.5eb1 DYNAMIC Gi1/0/2
101 00e0.ad02.2c90 DYNAMIC Gi1/0/2
101 00e0.ad02.b200 DYNAMIC Gi1/0/5
101 a4ba.db28.9e7f DYNAMIC Gi1/0/2
101 b8ac.6f8b.7e90 DYNAMIC Gi1/0/2
101 b8ac.6f8b.7e92 DYNAMIC Gi1/0/2
Total Mac Addresses for this criterion: 41
CCCSW131b#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.0.11 0 0013.7269.4aab ARPA GigabitEthernet1/0/1
Internet 10.1.1.10 0 0004.23d8.1a83 ARPA GigabitEthernet1/0/1
Internet 10.1.1.11 0 0004.23d8.1a62 ARPA GigabitEthernet1/0/1
Internet 10.1.0.10 0 0013.7269.6f95 ARPA GigabitEthernet1/0/1
Internet 10.1.0.9 0 0013.7269.6f94 ARPA GigabitEthernet1/0/1
Internet 10.1.1.8 0 0004.23d8.16b7 ARPA GigabitEthernet1/0/1
Internet 10.1.1.9 0 0004.23d8.1a82 ARPA GigabitEthernet1/0/1
Internet 10.1.0.8 0 0013.7269.6d3f ARPA GigabitEthernet1/0/1
Internet 10.1.0.15 0 0013.7262.18aa ARPA GigabitEthernet1/0/1
Internet 10.1.1.14 0 0004.23d8.189b ARPA GigabitEthernet1/0/1
Internet 10.2.2.14 0 001b.2109.37af ARPA Vlan101
Internet 10.1.1.15 0 0004.23d8.1b18 ARPA GigabitEthernet1/0/1
Internet 10.1.0.14 0 0013.7269.6fbc ARPA GigabitEthernet1/0/1
Internet 10.2.2.15 0 001b.2109.38b0 ARPA Vlan101
Internet 10.1.1.12 0 0004.23d8.1a63 ARPA GigabitEthernet1/0/1
Internet 10.1.0.13 0 0013.7269.6fbb ARPA GigabitEthernet1/0/1
Internet 10.1.0.12 0 0013.7269.4aac ARPA GigabitEthernet1/0/1
Internet 10.1.1.13 0 0004.23d8.189a ARPA GigabitEthernet1/0/1
Internet 10.2.2.13 0 001b.2109.37ae ARPA Vlan101
Internet 10.1.2.1 0 0018.8b3e.ddb5 ARPA GigabitEthernet1/0/1
Internet 10.1.1.2 0 0004.23d8.1a3b ARPA GigabitEthernet1/0/1
Internet 10.1.0.3 0 0013.7262.17d0 ARPA GigabitEthernet1/0/1
Internet 10.2.2.2 0 0018.8b3e.da96 ARPA Vlan101
Internet 10.1.0.2 0 0013.7265.d8f3 ARPA GigabitEthernet1/0/1
Internet 10.2.2.3 0 0018.8b3e.de23 ARPA Vlan101
Internet 10.1.0.1 0 0013.7265.d8f2 ARPA GigabitEthernet1/0/1
Internet 10.1.2.3 0 0018.8b3e.ddbf ARPA GigabitEthernet1/0/1
Internet 10.1.2.2 0 0018.8b3e.ddb7 ARPA GigabitEthernet1/0/1
Internet 10.1.1.1 0 0004.23d8.1a3a ARPA GigabitEthernet1/0/1
Internet 10.2.2.1 0 0018.8b3e.da94 ARPA Vlan101
Internet 10.1.1.6 0 0004.23d8.16c9 ARPA GigabitEthernet1/0/1
Internet 10.1.0.7 0 0013.7269.6d3e ARPA GigabitEthernet1/0/1
Internet 10.2.2.6 3 00e0.ad02.b200 ARPA Vlan101
Internet 10.1.0.6 0 0013.7269.6f98 ARPA GigabitEthernet1/0/1
Internet 10.1.2.4 0 0018.8b3e.ddc1 ARPA GigabitEthernet1/0/1
Internet 10.1.1.7 0 0004.23d8.16b6 ARPA GigabitEthernet1/0/1
Internet 10.1.0.5 0 0013.7269.6f97 ARPA GigabitEthernet1/0/1
Internet 10.2.2.4 0 0018.8b3e.de25 ARPA Vlan101
Internet 10.1.1.5 0 0004.23d8.16c8 ARPA GigabitEthernet1/0/1
Internet 10.1.0.4 0 0013.7262.17d1 ARPA GigabitEthernet1/0/1
Internet 10.1.0.27 0 0013.7269.6d2f ARPA GigabitEthernet1/0/1
Internet 10.1.1.26 0 0004.23d8.1a73 ARPA GigabitEthernet1/0/1
Internet 10.1.0.26 0 0013.7269.6fb6 ARPA GigabitEthernet1/0/1
Internet 10.1.1.27 0 0004.23d8.1cc6 ARPA GigabitEthernet1/0/1
Internet 10.1.0.25 0 0013.7269.6fb5 ARPA GigabitEthernet1/0/1
Internet 10.1.1.24 0 0004.23d8.16bd ARPA GigabitEthernet1/0/1
Internet 10.1.0.24 0 0013.7269.7200 ARPA GigabitEthernet1/0/1
Internet 10.1.1.25 0 0004.23d8.1a72 ARPA GigabitEthernet1/0/1
Internet 10.1.0.31 0 0013.7269.5fff ARPA GigabitEthernet1/0/1
Internet 10.1.1.30 0 000e.0cb6.8e25 ARPA GigabitEthernet1/0/1
Internet 10.1.0.30 0 0013.7269.60e0 ARPA GigabitEthernet1/0/1
Internet 10.1.0.29 0 0013.7269.60df ARPA GigabitEthernet1/0/1
Internet 10.1.1.28 0 0004.23d8.1cc7 ARPA GigabitEthernet1/0/1
Internet 10.1.0.28 0 0013.7269.6d30 ARPA GigabitEthernet1/0/1
Internet 10.1.1.29 0 000e.0cb6.8e24 ARPA GigabitEthernet1/0/1
Internet 10.1.1.18 0 0004.23d8.1a5b ARPA GigabitEthernet1/0/1
Internet 10.1.0.19 0 0013.7269.4acc ARPA GigabitEthernet1/0/1
Internet 10.1.0.18 0 0013.7265.1986 ARPA GigabitEthernet1/0/1
Internet 10.1.1.19 0 0004.23d8.2266 ARPA GigabitEthernet1/0/1
Internet 10.1.0.17 0 0013.7265.1985 ARPA GigabitEthernet1/0/1
Internet 10.1.1.16 0 0004.23d8.1b19 ARPA GigabitEthernet1/0/1
Internet 10.2.2.16 0 001b.2109.38b1 ARPA Vlan101
Internet 10.1.1.17 0 0004.23d8.1a5a ARPA GigabitEthernet1/0/1
Internet 10.1.0.16 0 0013.7262.18ab ARPA GigabitEthernet1/0/1
Internet 10.1.0.23 0 0013.7269.71ff ARPA GigabitEthernet1/0/1
Internet 10.1.2.21 0 0018.8b3e.de14 ARPA GigabitEthernet1/0/1
Internet 10.1.1.22 0 0004.23d8.16af ARPA GigabitEthernet1/0/1
Internet 10.2.2.23 0 b8ac.6f8b.7e90 ARPA Vlan101
Internet 10.1.0.22 0 0013.7269.4ad0 ARPA GigabitEthernet1/0/1
Internet 10.1.1.23 0 0004.23d8.16bc ARPA GigabitEthernet1/0/1
Internet 10.1.0.21 0 0013.7269.4acf ARPA GigabitEthernet1/0/1
Internet 10.1.1.20 0 0004.23d8.2267 ARPA GigabitEthernet1/0/1
Internet 10.1.0.20 0 0013.7269.4acd ARPA GigabitEthernet1/0/1
Internet 10.1.2.22 0 0018.8b3e.de16 ARPA GigabitEthernet1/0/1
Internet 10.1.1.21 0 0004.23d8.16ae ARPA GigabitEthernet1/0/1
Internet 10.1.1.42 0 0004.23d7.fb83 ARPA GigabitEthernet1/0/1
Internet 10.1.1.43 0 0004.23d7.fb9c ARPA GigabitEthernet1/0/1
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.40 0 000e.0cd8.267d ARPA GigabitEthernet1/0/1
Internet 10.1.1.41 0 0004.23d7.fb82 ARPA GigabitEthernet1/0/1
Internet 10.1.1.46 0 0004.23d7.fbe5 ARPA GigabitEthernet1/0/1
Internet 10.1.1.47 0 0004.23d7.fe34 ARPA GigabitEthernet1/0/1
Internet 10.1.1.44 0 0004.23d7.fb9d ARPA GigabitEthernet1/0/1
Internet 10.1.1.45 0 0004.23d7.fbe4 ARPA GigabitEthernet1/0/1
Internet 10.1.0.35 0 782b.cb47.5f99 ARPA GigabitEthernet1/0/1
Internet 10.1.0.34 0 782b.cb47.554a ARPA GigabitEthernet1/0/1
Internet 10.1.1.35 0 000e.0cd8.24c4 ARPA GigabitEthernet1/0/1
Internet 10.1.0.33 0 782b.cb47.5548 ARPA GigabitEthernet1/0/1
Internet 10.1.0.32 0 0013.7269.6000 ARPA GigabitEthernet1/0/1
Internet 10.1.1.38 0 000e.0cd8.2571 ARPA GigabitEthernet1/0/1
Internet 10.1.1.39 0 000e.0cd8.267c ARPA GigabitEthernet1/0/1
Internet 10.1.0.36 0 782b.cb47.5f9b ARPA GigabitEthernet1/0/1
Internet 10.1.1.37 0 000e.0cd8.2570 ARPA GigabitEthernet1/0/1
Internet 10.1.1.62 0 000e.0cd8.25f3 ARPA GigabitEthernet1/0/1
Internet 10.1.1.63 3 0019.b922.0360 ARPA GigabitEthernet1/0/1
Internet 10.1.1.61 0 000e.0cd8.25f2 ARPA GigabitEthernet1/0/1
Internet 10.1.1.50 0 000e.0cd8.25f9 ARPA GigabitEthernet1/0/1
Internet 10.1.1.48 0 0004.23d7.fe35 ARPA GigabitEthernet1/0/1
Internet 10.1.1.49 0 000e.0cd8.25f8 ARPA GigabitEthernet1/0/1
Internet 10.1.1.72 0 000e.0cd8.24bb ARPA GigabitEthernet1/0/1
Internet 10.1.1.71 0 000e.0cd8.24ba ARPA GigabitEthernet1/0/1
Internet 10.1.1.82 0 000e.0cd8.26a7 ARPA GigabitEthernet1/0/1
Internet 10.1.1.81 0 000e.0cd8.26a6 ARPA GigabitEthernet1/0/1
Internet 10.1.1.111 0 0004.23d7.fba6 ARPA GigabitEthernet1/0/1
Internet 10.1.1.122 0 000e.0cb6.8dbb ARPA GigabitEthernet1/0/1
Internet 10.1.1.123 0 000e.0cd8.268c ARPA GigabitEthernet1/0/1
Internet 10.1.1.121 0 000e.0cb6.8dba ARPA GigabitEthernet1/0/1
Internet 10.1.1.126 0 000e.0cd8.25e1 ARPA GigabitEthernet1/0/1
Internet 10.1.1.124 0 000e.0cd8.268d ARPA GigabitEthernet1/0/1
Internet 10.1.1.125 0 000e.0cd8.25e0 ARPA GigabitEthernet1/0/1
Internet 10.1.1.114 0 0004.23d7.fb9f ARPA GigabitEthernet1/0/1
Internet 10.1.1.115 0 000e.0cd8.268e ARPA GigabitEthernet1/0/1
Internet 10.1.1.112 0 0004.23d7.fba7 ARPA GigabitEthernet1/0/1
Internet 10.1.1.113 0 0004.23d7.fb9e ARPA GigabitEthernet1/0/1
Internet 10.1.1.116 0 000e.0cd8.268f ARPA GigabitEthernet1/0/1
Internet 10.1.1.142 0 000e.0cb6.8e09 ARPA GigabitEthernet1/0/1
Internet 10.1.1.143 0 001b.2198.f0fc ARPA GigabitEthernet1/0/1
Internet 10.1.1.141 0 000e.0cb6.8e08 ARPA GigabitEthernet1/0/1
Internet 10.1.1.131 0 0004.23e0.17b4 ARPA GigabitEthernet1/0/1
Internet 10.1.1.134 0 000e.0cd8.24b9 ARPA GigabitEthernet1/0/1
Internet 10.1.1.132 0 0004.23e0.17b5 ARPA GigabitEthernet1/0/1
Internet 10.1.1.133 0 000e.0cd8.24b8 ARPA GigabitEthernet1/0/1
Internet 10.1.1.154 0 000e.0cd8.24d7 ARPA GigabitEthernet1/0/1
Internet 10.1.1.155 0 001b.217b.c998 ARPA GigabitEthernet1/0/1
Internet 10.1.1.152 0 000e.0cd8.255d ARPA GigabitEthernet1/0/1
Internet 10.1.1.153 0 000e.0cd8.24d6 ARPA GigabitEthernet1/0/1
Internet 10.1.1.158 0 001b.217b.c997 ARPA GigabitEthernet1/0/1
Internet 10.1.1.159 0 001b.2198.f03c ARPA GigabitEthernet1/0/1
Internet 10.1.1.156 0 001b.217b.c999 ARPA GigabitEthernet1/0/1
Internet 10.1.1.157 0 001b.217b.c996 ARPA GigabitEthernet1/0/1
Internet 10.1.1.146 0 001b.217b.c69d ARPA GigabitEthernet1/0/1
Internet 10.1.1.144 0 001b.2198.f0fd ARPA GigabitEthernet1/0/1
Internet 10.1.1.145 0 001b.217b.c69c ARPA GigabitEthernet1/0/1
Internet 10.1.1.151 0 000e.0cd8.255c ARPA GigabitEthernet1/0/1
Internet 10.1.1.160 0 001b.2198.f03d ARPA GigabitEthernet1/0/1
Internet 10.1.2.202 47 0026.51e6.4bc0 ARPA GigabitEthernet1/0/1
Internet 10.1.2.204 45 001a.a230.e8c0 ARPA GigabitEthernet1/0/1
Internet 10.1.2.206 43 001a.a10b.5e40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.216 4 001a.a230.5000 ARPA GigabitEthernet1/0/1
Internet 10.1.2.218 145 001a.a230.6680 ARPA GigabitEthernet1/0/1
Internet 10.1.2.220 204 0019.e706.63c0 ARPA GigabitEthernet1/0/1
Internet 10.1.2.222 0 001a.a228.7840 ARPA GigabitEthernet1/0/1
Internet 10.1.2.208 230 001a.a10b.5580 ARPA GigabitEthernet1/0/1
Internet 10.1.2.210 25 001a.a10b.9c40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.212 146 001a.a201.c380 ARPA GigabitEthernet1/0/1
Internet 10.1.2.214 147 001a.a230.79c0 ARPA GigabitEthernet1/0/1
Internet 10.1.2.232 82 001a.a228.49c0 ARPA GigabitEthernet1/0/1
Internet 10.1.2.234 147 001a.a228.7f40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.236 90 001a.a228.2a40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.238 100 b862.1f0b.8d40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.224 219 001a.6d45.0f40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.226 145 001a.a26f.d780 ARPA GigabitEthernet1/0/1
Internet 10.1.2.228 145 001a.a230.5100 ARPA GigabitEthernet1/0/1
Internet 10.1.2.230 213 40f4.ec99.7f40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.252 - 001a.6d8f.8bc1 ARPA GigabitEthernet1/0/1
Internet 10.2.2.252 - 001a.6d8f.8bc2 ARPA Vlan101
10-18-2012 06:10 AM
Hello Tang-Suan,
the ACL is applied under the L3 interface SVI vlan101.
The ACL applies only to routed traffic coming from other IP subnets to 10.2.2.0/22.
It does not apply to traffic within vlan 101 within IP subnet 10.2.0.0/22.
Please note that you have a 255.255.252.0 /22 subnet mask not /24
The ACL allows traffic from 10.1.0.0/24 or from 10.1.1.0/24 to reach hosts in subnet 10.2.0.0/22
Also there is a line for traffic from 10.2.2.0/24 to any that should never match
At the end DNS queries/replies are allowed.
So you need to pay attention to the actual subnet masks used in your network.
Edit:
modified base subnet with correct 10.2.0.0/22 instead of 10.2.2.0/22
Hope to help
Giuseppe
10-18-2012 06:40 PM
Hi Giuseppe and all :
Thanks to your reply!
I have few points need to clerify with you from your answer :
1. You mentioned "Also there is a line for traffic from 10.2.2.0/24 to any that should never match" in your answer, what does it mean? Can you explain it more directly? Thanks!
2. If I put a host with IP 10.2.2.13/22 with gateway of 10.2.2.251, is the traffic to and from this host can go through?
3. If I put a host with IP 10.2.2.13/24 with gateway of 10.2.2.251, is the traffic to and from this host can go through?
4. Will the access-list blocks all the traffics beside 10.1.0.0/24, 10.1.1.0/24, 10.1.2.0/24 and all other IP address with UDP DNS traffic only?
5. If this Vlan 101 already set with IP of 10.2.2.252/22, isn't it only accept traffic with 10.2.2.252/22 rather other traffic from 10.1.0.0/24, 10.1.1.0/24 or 10.1.2.0/24 even though the access-list set all these subnets can go through?
Many thanks!
Warmest regards,
Tan Tang Suan
10-18-2012 06:52 PM
Hi all :
Sorry I made a mistake from my reply above :
At #5, If this Vlan 101 already set with IP of 10.2.2.252/22, isn't it only accept traffic with 10.2.2.252/22 rather other traffic from 10.1.0.0/24, 10.1.1.0/24 or 10.1.2.0/24 even though the access-list set all these subnets can go through?
The traffic can be accept should change from 10.2.2.252/22 to 10.2.0.0/252. Correct me if I am wrong.
The main point of this question 5 is doubt about other traffics beside this 10.2.0.0/252 can pass through the vlan 101 since the vlan interface already set to 10.2.2.252/22 (which is in the range of 10.2.0.0/22 to 10.2.3.254/22). Correct me if I am wrong.
Thanks!
Warmest regards,
Tan Tang Suan
10-19-2012 12:57 AM
Hello Tang-Suan,
I try to answer to your last questions but you need to improve your knowledge baae about IP subnetting, subnet mask and prefix-len notations.
>> 1 You mentioned "Also there is a line for traffic from 10.2.2.0/24 to any that should never match" in your answer, what does it mean? Can you explain it more directly? Thanks!
The ACL is applied outbound SVI interface Vlan 101, this means that this ACL processes routed traffic coming from other IP subnets when the packets have to be sent to hosts in 10.2.2.0/22.
The typical packet will be
IP SA = x.x.x.x IP DA = 10.2.0-3.Y
in no case an IP packet with source belonging to 10.2.2.0/24 that is contained in 10.2.0.0/22 should be processed by the ACL. This is the meaning of this line should have no match.
IP address and subnet mask
SVI Vlan 101 has assigned IP address 10.2.2.252 with subnet mask 255.255.252.0
the base address is 10.2.0.0/22 and the range of possible IP addresses is
10.2.0.1 - 10.2.3.255
I made an error in my first response the IP subnet is 10.2.0.0/22 and not 10.2.2.0/22
What I wanted to point out is the IP subnet mask is different from the wildcard mask that you have used in the ACL
0.0.0.255 means /24
the equivalent of 255.255.252.0 is a wildcard mask of 0.0.3.255
So the message is take care of actual subnet masks in writing the ACLs otherwise your ACL can block legitimate traffic.
>> 2. If I put a host with IP 10.2.2.13/22 with gateway of 10.2.2.251, is the traffic to and from this host can go through?
There is no limitation on what traffic the host can send ( no ACL applied inbound on SVI vlan101), there is a limitation on what traffic can reach the host from other IP subnets:
only traffic from 10.1.0.0/24 and 10.1.1.0/24 can reach the host in addition to traffic of the SAME IP subnet that is not processed by the same ACL
The host can exchange DNS messages with any other IP address
>> 4. Will the access-list blocks all the traffics beside 10.1.0.0/24, 10.1.1.0/24, 10.1.2.0/24 and all other IP address with UDP DNS traffic only?
Answered above
>> If this Vlan 101 already set with IP of 10.2.2.252/22, isn't it only accept traffic with 10.2.2.252/22 rather other traffic from 10.1.0.0/24, 10.1.1.0/24 or 10.1.2.0/24 even though the access-list set all these subnets can go through?
Again the access-list is applied in the direction from backbone to users in Vlan not the opposite. So the ACL is not limiting what traffic can go out of the IP subnet but what traffic can reach the IP subnet. Think of the SVI as an additional host in L2 Vlan 101 oackets exiting the SVI are directed to hosts in the Vlan.
By the way. a router or switch can accept traffic sourced by an IP address that does not belong to connected IP subnet.
I f you want to implement anti spoofing ACL you need to configure an ACL to be applied inbound (= IN)
like
access-list 112 permit ip 10.2.0.0 0.0.3.255 any
access-list 112 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
int vlan 101
ip access-group 112 in
This is an example of anti spoofing ACL with second line allowing for DHCP requests from initializing clients
EDit:
>>The traffic can be accept should change from 10.2.2.252/22 to 10.2.0.0/252. Correct me if I am wrong.
the correct notations are:
10.2.0.0/22 or 10.2.0.0 255.255.252.0
the notation
10.2.0.0/252 does not exist.
As explained an anti spoofing behaviour ( accepting traffic only with source IP address = connected IP subnet) is not automatically performed by device.
This protection can be added or by using an anti-spoofing ACL applied inbound (in ) on the SVI interface or in other way via uRPF.
In any case to go back to the original issue of this thread, from what IP addresses you have tried to reach the server 10.2.2.13?
The applied ACL allows only DNS and traffic from 10.1.0.0/24 and 10.1.1.0/24, traffic within 10.2.0.0/22 bypasses this ACL ( is directly connected so L2 switching occcurs within an IP subnet)
Hope to help
Giuseppe
10-21-2012 08:04 PM
Hi Giuseppe and all :
Firstly, Giuseppe, thanks to your reply.
You have corrected that 10.2.0.0/252 to 10.2.0.0/22 which I think I have made a typo error of typing 252 instaed of 22, thanks!
Back to the source of problem that actually I used a server before a firewall with IP of 172.16.3.1/25 to access the 10.2.2.13/22, 10.2.2.14/22, 10.2.2.15/22 and 10.2.2.16/22.
All of them when testing with ping, telnet port and remore desktop are OK by this source addres of 172.16.3.1.
Strange thing is the application only having problem with 10.2.2.13.
I intend to restart the switch (that is possible course but I am not sure) but it will affect the production. The firewall has already set the necessary allowed rules (NAT rule as well) and ports.
Do you or any body faces the similar problem and manage to this type of problem effectively?
Many thanks!
Best regard
TangSuan Tan
10-18-2012 03:24 AM
Hi all :
After today some work out, I find that the two ethernet ports are not connetected to the same switch. They are connected to two different switches which treats as server redundancy. Sorry for my mistake on my first post.
Below is the ARP and MAC table taken out out from the switch. Please provide any comment or wayout to this porblem. Many thanks!
CCCSW131b#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.0.11 0 0013.7269.4aab ARPA GigabitEthernet1/0/1
Internet 10.1.1.10 0 0004.23d8.1a83 ARPA GigabitEthernet1/0/1
Internet 10.1.1.11 0 0004.23d8.1a62 ARPA GigabitEthernet1/0/1
Internet 10.1.0.10 0 0013.7269.6f95 ARPA GigabitEthernet1/0/1
Internet 10.1.0.9 0 0013.7269.6f94 ARPA GigabitEthernet1/0/1
Internet 10.1.1.8 0 0004.23d8.16b7 ARPA GigabitEthernet1/0/1
Internet 10.1.1.9 0 0004.23d8.1a82 ARPA GigabitEthernet1/0/1
Internet 10.1.0.8 0 0013.7269.6d3f ARPA GigabitEthernet1/0/1
Internet 10.1.0.15 0 0013.7262.18aa ARPA GigabitEthernet1/0/1
Internet 10.1.1.14 0 0004.23d8.189b ARPA GigabitEthernet1/0/1
Internet 10.2.2.14 0 001b.2109.37af ARPA Vlan101
Internet 10.1.1.15 0 0004.23d8.1b18 ARPA GigabitEthernet1/0/1
Internet 10.1.0.14 0 0013.7269.6fbc ARPA GigabitEthernet1/0/1
Internet 10.2.2.15 0 001b.2109.38b0 ARPA Vlan101
Internet 10.1.1.12 0 0004.23d8.1a63 ARPA GigabitEthernet1/0/1
Internet 10.1.0.13 0 0013.7269.6fbb ARPA GigabitEthernet1/0/1
Internet 10.1.0.12 0 0013.7269.4aac ARPA GigabitEthernet1/0/1
Internet 10.1.1.13 0 0004.23d8.189a ARPA GigabitEthernet1/0/1
Internet 10.2.2.13 0 001b.2109.37ae ARPA Vlan101
Internet 10.1.2.1 0 0018.8b3e.ddb5 ARPA GigabitEthernet1/0/1
Internet 10.1.1.2 0 0004.23d8.1a3b ARPA GigabitEthernet1/0/1
Internet 10.1.0.3 0 0013.7262.17d0 ARPA GigabitEthernet1/0/1
Internet 10.2.2.2 0 0018.8b3e.da96 ARPA Vlan101
Internet 10.1.0.2 0 0013.7265.d8f3 ARPA GigabitEthernet1/0/1
Internet 10.2.2.3 0 0018.8b3e.de23 ARPA Vlan101
Internet 10.1.0.1 0 0013.7265.d8f2 ARPA GigabitEthernet1/0/1
Internet 10.1.2.3 0 0018.8b3e.ddbf ARPA GigabitEthernet1/0/1
Internet 10.1.2.2 0 0018.8b3e.ddb7 ARPA GigabitEthernet1/0/1
Internet 10.1.1.1 0 0004.23d8.1a3a ARPA GigabitEthernet1/0/1
Internet 10.2.2.1 0 0018.8b3e.da94 ARPA Vlan101
Internet 10.1.1.6 0 0004.23d8.16c9 ARPA GigabitEthernet1/0/1
Internet 10.1.0.7 0 0013.7269.6d3e ARPA GigabitEthernet1/0/1
Internet 10.2.2.6 3 00e0.ad02.b200 ARPA Vlan101
Internet 10.1.0.6 0 0013.7269.6f98 ARPA GigabitEthernet1/0/1
Internet 10.1.2.4 0 0018.8b3e.ddc1 ARPA GigabitEthernet1/0/1
Internet 10.1.1.7 0 0004.23d8.16b6 ARPA GigabitEthernet1/0/1
Internet 10.1.0.5 0 0013.7269.6f97 ARPA GigabitEthernet1/0/1
Internet 10.2.2.4 0 0018.8b3e.de25 ARPA Vlan101
Internet 10.1.1.5 0 0004.23d8.16c8 ARPA GigabitEthernet1/0/1
Internet 10.1.0.4 0 0013.7262.17d1 ARPA GigabitEthernet1/0/1
Internet 10.1.0.27 0 0013.7269.6d2f ARPA GigabitEthernet1/0/1
Internet 10.1.1.26 0 0004.23d8.1a73 ARPA GigabitEthernet1/0/1
Internet 10.1.0.26 0 0013.7269.6fb6 ARPA GigabitEthernet1/0/1
Internet 10.1.1.27 0 0004.23d8.1cc6 ARPA GigabitEthernet1/0/1
Internet 10.1.0.25 0 0013.7269.6fb5 ARPA GigabitEthernet1/0/1
Internet 10.1.1.24 0 0004.23d8.16bd ARPA GigabitEthernet1/0/1
Internet 10.1.0.24 0 0013.7269.7200 ARPA GigabitEthernet1/0/1
Internet 10.1.1.25 0 0004.23d8.1a72 ARPA GigabitEthernet1/0/1
Internet 10.1.0.31 0 0013.7269.5fff ARPA GigabitEthernet1/0/1
Internet 10.1.1.30 0 000e.0cb6.8e25 ARPA GigabitEthernet1/0/1
Internet 10.1.0.30 0 0013.7269.60e0 ARPA GigabitEthernet1/0/1
Internet 10.1.0.29 0 0013.7269.60df ARPA GigabitEthernet1/0/1
Internet 10.1.1.28 0 0004.23d8.1cc7 ARPA GigabitEthernet1/0/1
Internet 10.1.0.28 0 0013.7269.6d30 ARPA GigabitEthernet1/0/1
Internet 10.1.1.29 0 000e.0cb6.8e24 ARPA GigabitEthernet1/0/1
Internet 10.1.1.18 0 0004.23d8.1a5b ARPA GigabitEthernet1/0/1
Internet 10.1.0.19 0 0013.7269.4acc ARPA GigabitEthernet1/0/1
Internet 10.1.0.18 0 0013.7265.1986 ARPA GigabitEthernet1/0/1
Internet 10.1.1.19 0 0004.23d8.2266 ARPA GigabitEthernet1/0/1
Internet 10.1.0.17 0 0013.7265.1985 ARPA GigabitEthernet1/0/1
Internet 10.1.1.16 0 0004.23d8.1b19 ARPA GigabitEthernet1/0/1
Internet 10.2.2.16 0 001b.2109.38b1 ARPA Vlan101
Internet 10.1.1.17 0 0004.23d8.1a5a ARPA GigabitEthernet1/0/1
Internet 10.1.0.16 0 0013.7262.18ab ARPA GigabitEthernet1/0/1
Internet 10.1.0.23 0 0013.7269.71ff ARPA GigabitEthernet1/0/1
Internet 10.1.2.21 0 0018.8b3e.de14 ARPA GigabitEthernet1/0/1
Internet 10.1.1.22 0 0004.23d8.16af ARPA GigabitEthernet1/0/1
Internet 10.2.2.23 0 b8ac.6f8b.7e90 ARPA Vlan101
Internet 10.1.0.22 0 0013.7269.4ad0 ARPA GigabitEthernet1/0/1
Internet 10.1.1.23 0 0004.23d8.16bc ARPA GigabitEthernet1/0/1
Internet 10.1.0.21 0 0013.7269.4acf ARPA GigabitEthernet1/0/1
Internet 10.1.1.20 0 0004.23d8.2267 ARPA GigabitEthernet1/0/1
Internet 10.1.0.20 0 0013.7269.4acd ARPA GigabitEthernet1/0/1
Internet 10.1.2.22 0 0018.8b3e.de16 ARPA GigabitEthernet1/0/1
Internet 10.1.1.21 0 0004.23d8.16ae ARPA GigabitEthernet1/0/1
Internet 10.1.1.42 0 0004.23d7.fb83 ARPA GigabitEthernet1/0/1
Internet 10.1.1.43 0 0004.23d7.fb9c ARPA GigabitEthernet1/0/1
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.40 0 000e.0cd8.267d ARPA GigabitEthernet1/0/1
Internet 10.1.1.41 0 0004.23d7.fb82 ARPA GigabitEthernet1/0/1
Internet 10.1.1.46 0 0004.23d7.fbe5 ARPA GigabitEthernet1/0/1
Internet 10.1.1.47 0 0004.23d7.fe34 ARPA GigabitEthernet1/0/1
Internet 10.1.1.44 0 0004.23d7.fb9d ARPA GigabitEthernet1/0/1
Internet 10.1.1.45 0 0004.23d7.fbe4 ARPA GigabitEthernet1/0/1
Internet 10.1.0.35 0 782b.cb47.5f99 ARPA GigabitEthernet1/0/1
Internet 10.1.0.34 0 782b.cb47.554a ARPA GigabitEthernet1/0/1
Internet 10.1.1.35 0 000e.0cd8.24c4 ARPA GigabitEthernet1/0/1
Internet 10.1.0.33 0 782b.cb47.5548 ARPA GigabitEthernet1/0/1
Internet 10.1.0.32 0 0013.7269.6000 ARPA GigabitEthernet1/0/1
Internet 10.1.1.38 0 000e.0cd8.2571 ARPA GigabitEthernet1/0/1
Internet 10.1.1.39 0 000e.0cd8.267c ARPA GigabitEthernet1/0/1
Internet 10.1.0.36 0 782b.cb47.5f9b ARPA GigabitEthernet1/0/1
Internet 10.1.1.37 0 000e.0cd8.2570 ARPA GigabitEthernet1/0/1
Internet 10.1.1.62 0 000e.0cd8.25f3 ARPA GigabitEthernet1/0/1
Internet 10.1.1.63 3 0019.b922.0360 ARPA GigabitEthernet1/0/1
Internet 10.1.1.61 0 000e.0cd8.25f2 ARPA GigabitEthernet1/0/1
Internet 10.1.1.50 0 000e.0cd8.25f9 ARPA GigabitEthernet1/0/1
Internet 10.1.1.48 0 0004.23d7.fe35 ARPA GigabitEthernet1/0/1
Internet 10.1.1.49 0 000e.0cd8.25f8 ARPA GigabitEthernet1/0/1
Internet 10.1.1.72 0 000e.0cd8.24bb ARPA GigabitEthernet1/0/1
Internet 10.1.1.71 0 000e.0cd8.24ba ARPA GigabitEthernet1/0/1
Internet 10.1.1.82 0 000e.0cd8.26a7 ARPA GigabitEthernet1/0/1
Internet 10.1.1.81 0 000e.0cd8.26a6 ARPA GigabitEthernet1/0/1
Internet 10.1.1.111 0 0004.23d7.fba6 ARPA GigabitEthernet1/0/1
Internet 10.1.1.122 0 000e.0cb6.8dbb ARPA GigabitEthernet1/0/1
Internet 10.1.1.123 0 000e.0cd8.268c ARPA GigabitEthernet1/0/1
Internet 10.1.1.121 0 000e.0cb6.8dba ARPA GigabitEthernet1/0/1
Internet 10.1.1.126 0 000e.0cd8.25e1 ARPA GigabitEthernet1/0/1
Internet 10.1.1.124 0 000e.0cd8.268d ARPA GigabitEthernet1/0/1
Internet 10.1.1.125 0 000e.0cd8.25e0 ARPA GigabitEthernet1/0/1
Internet 10.1.1.114 0 0004.23d7.fb9f ARPA GigabitEthernet1/0/1
Internet 10.1.1.115 0 000e.0cd8.268e ARPA GigabitEthernet1/0/1
Internet 10.1.1.112 0 0004.23d7.fba7 ARPA GigabitEthernet1/0/1
Internet 10.1.1.113 0 0004.23d7.fb9e ARPA GigabitEthernet1/0/1
Internet 10.1.1.116 0 000e.0cd8.268f ARPA GigabitEthernet1/0/1
Internet 10.1.1.142 0 000e.0cb6.8e09 ARPA GigabitEthernet1/0/1
Internet 10.1.1.143 0 001b.2198.f0fc ARPA GigabitEthernet1/0/1
Internet 10.1.1.141 0 000e.0cb6.8e08 ARPA GigabitEthernet1/0/1
Internet 10.1.1.131 0 0004.23e0.17b4 ARPA GigabitEthernet1/0/1
Internet 10.1.1.134 0 000e.0cd8.24b9 ARPA GigabitEthernet1/0/1
Internet 10.1.1.132 0 0004.23e0.17b5 ARPA GigabitEthernet1/0/1
Internet 10.1.1.133 0 000e.0cd8.24b8 ARPA GigabitEthernet1/0/1
Internet 10.1.1.154 0 000e.0cd8.24d7 ARPA GigabitEthernet1/0/1
Internet 10.1.1.155 0 001b.217b.c998 ARPA GigabitEthernet1/0/1
Internet 10.1.1.152 0 000e.0cd8.255d ARPA GigabitEthernet1/0/1
Internet 10.1.1.153 0 000e.0cd8.24d6 ARPA GigabitEthernet1/0/1
Internet 10.1.1.158 0 001b.217b.c997 ARPA GigabitEthernet1/0/1
Internet 10.1.1.159 0 001b.2198.f03c ARPA GigabitEthernet1/0/1
Internet 10.1.1.156 0 001b.217b.c999 ARPA GigabitEthernet1/0/1
Internet 10.1.1.157 0 001b.217b.c996 ARPA GigabitEthernet1/0/1
Internet 10.1.1.146 0 001b.217b.c69d ARPA GigabitEthernet1/0/1
Internet 10.1.1.144 0 001b.2198.f0fd ARPA GigabitEthernet1/0/1
Internet 10.1.1.145 0 001b.217b.c69c ARPA GigabitEthernet1/0/1
Internet 10.1.1.151 0 000e.0cd8.255c ARPA GigabitEthernet1/0/1
Internet 10.1.1.160 0 001b.2198.f03d ARPA GigabitEthernet1/0/1
Internet 10.1.2.202 47 0026.51e6.4bc0 ARPA GigabitEthernet1/0/1
Internet 10.1.2.204 45 001a.a230.e8c0 ARPA GigabitEthernet1/0/1
Internet 10.1.2.206 43 001a.a10b.5e40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.216 4 001a.a230.5000 ARPA GigabitEthernet1/0/1
Internet 10.1.2.218 145 001a.a230.6680 ARPA GigabitEthernet1/0/1
Internet 10.1.2.220 204 0019.e706.63c0 ARPA GigabitEthernet1/0/1
Internet 10.1.2.222 0 001a.a228.7840 ARPA GigabitEthernet1/0/1
Internet 10.1.2.208 230 001a.a10b.5580 ARPA GigabitEthernet1/0/1
Internet 10.1.2.210 25 001a.a10b.9c40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.212 146 001a.a201.c380 ARPA GigabitEthernet1/0/1
Internet 10.1.2.214 147 001a.a230.79c0 ARPA GigabitEthernet1/0/1
Internet 10.1.2.232 82 001a.a228.49c0 ARPA GigabitEthernet1/0/1
Internet 10.1.2.234 147 001a.a228.7f40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.236 90 001a.a228.2a40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.238 100 b862.1f0b.8d40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.224 219 001a.6d45.0f40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.226 145 001a.a26f.d780 ARPA GigabitEthernet1/0/1
Internet 10.1.2.228 145 001a.a230.5100 ARPA GigabitEthernet1/0/1
Internet 10.1.2.230 213 40f4.ec99.7f40 ARPA GigabitEthernet1/0/1
Internet 10.1.2.252 - 001a.6d8f.8bc1 ARPA GigabitEthernet1/0/1
Internet 10.2.2.252 - 001a.6d8f.8bc2 ARPA Vlan101
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: