HSRP and ACL configuration on Cisco 4506E

poi05291 · ‎09-25-2024

I have a question about HSRP and ACL configuration on Cisco 4506 and 4506E switches.

Initially, without HSRP enabled, I configured the following ACL on the VLAN 55 interface:

Extended IP access list vlan55
10 permit ip any 192.168.104.32 0.0.0.15
20 permit ip any 192.168.165.32 0.0.0.15

With this configuration, VLAN 55 could successfully ping VLAN 104.

However, after enabling HSRP, this ACL stopped working. After some testing, I modified the ACL to:

Extended IP access list vlan55
10 permit ip any 192.168.104.32 0.0.0.15 log
20 permit ip any 192.168.165.32 0.0.0.15 log
30 permit ip 192.168.104.32 0.0.0.15 any log
40 permit ip 192.168.165.32 0.0.0.15 any log
50 permit ip 172.1.22.0 0.0.0.255 172.1.22.0 0.0.0.255
60 permit udp any host 224.0.0.2 eq 1985
70 permit udp host 224.0.0.2 any eq 1985

With this new configuration, VLAN 55 can now ping VLAN 104 again. As you can see, I added bidirectional traffic rules and HSRP-specific rules.

Can someone explain why this change was necessary when HSRP was enabled? Why didn't the original ACL work with HSRP, and why does this new configuration solve the problem?

Giuseppe Larosa · ‎09-25-2024

Hello @poi05291 ,

there is an important detail missing : in which direction have you applied the extended ACL with name vlan55 ?

if applied inbound with

int vlan 55

ip access-group vlan55 in

the ACL will block HSRP hello packets sent by the neighbor in vlan 55.

the second info missing is : what is the IP address of SVI interface vlan 55 ?

Are there secondary IP addresses applied ?

In any case a multicast IP address like the all routers on segment 224.0.0.2 can never be an IP source in an IP packet so the following statement

70 permit udp host 224.0.0.2 any eq 1985

this is useless and it should have zero hits.

The best practice for inbound ACLs are :

allow traffic coming from directly connected IP subnet (s) more then one if there are secondary IP addresses.

having source any allows ip source spoofing attacks so the first two statements are not ideal:

10 permit ip any 192.168.104.32 0.0.0.15 log
20 permit ip any 192.168.165.32 0.0.0.15 log

the following lines can be good if the subnets are associated to vlan55 :

30 permit ip 192.168.104.32 0.0.0.15 any log
40 permit ip 192.168.165.32 0.0.0.15 any log

the next line:

50 permit ip 172.1.22.0 0.0.0.255 172.1.22.0 0.0.0.255

this is not useful if the ACL is applied to interface vlan55 ( routed ACL applied to SVI)

traffic is between hosts in the same subnet and it is bridged. A line like this can be used in a VACL that is a feature applied to the L2 VLAN 55 broadcast domain.

Hope to help

Giuseppe

poi05291 · ‎09-26-2024

Dear Giuseppe,

Thank you for your detailed analysis and suggestions. I appreciate your input and have made some changes based on your advice:

ACL application: I have applied the ACL to the interface VLAN 55 inbound.
ACL modifications: Following your recommendations, I've updated the first two lines of the ACL to: 10 permit ip 172.1.22.0 0.0.0.255 192.168.104.32 0.0.0.15 20 permit ip 172.1.22.0 0.0.0.255 192.168.165.32 0.0.0.15
Regarding lines 30 and 40: After testing, I've observed that these lines produce matches when VLAN 104 or VLAN 165 ping the gateway (VIP). Therefore, I've decided to keep these lines.
Line 50: My tests show that this line produces a match when VLAN 55 pings the gateway (VIP), so I'm retaining this line as well.
Line 60: This line shows matches in the lab when changing priority, allowing for active/standby switching.
Line 70: As you correctly pointed out, this line was indeed useless, and I've removed it.

Thank you again for your helpful insights. Your expertise has been valuable in optimizing our ACL configuration.

MHM Cisco World · ‎09-25-2024

Before hsrp there was one GW

After hsrp and without permit hsrp in acl there are two GW

This traffic drop it because each host in different vlan use different GW

Check that by show standby

Check if both SW is active status

This case called dual active hsrp

MHM