04-20-2012 07:08 AM - edited 03-07-2019 06:15 AM
Probably an easy fix but something's weird in my config.
I am setting up a new network, so this is not production yet. Here's the general idea.
Routed environment, down to the access layer using 3560-x l3 switches.
vlan 10: data
vlan 20: wifi
vlan 30: wifi guests
vlan 40: voip
My objective is to allow all traffic OUTBOUND to certain subnets (10.10.0.0/24, 10.10.100.0/24, 10.10.110.0/24 10.10.120.0/24) and block any other 10.0.0.0/8 networks. By doing it this way, after blocking all other internal traffic, I allow everything else to ensure internet traffic can go out.
Extended IP access list VLAN10_TRAFFIC_FLOW
10 permit ip any 10.10.0.0 0.0.0.255
20 permit ip any 10.10.100.0 0.0.0.255
30 permit ip any 10.10.110.0 0.0.0.255
40 permit ip any 10.10.120.0 0.0.0.255
50 deny ip any 10.0.0.0 0.255.255.255 (5 matches)
60 deny ip any 172.16.0.0 0.0.255.255
70 permit ip any any
!
interface Vlan10
description DATA
ip address 10.104.10.1 255.255.255.0
ip access-group VLAN10_TRAFFIC_FLOW out
end
The problem is, from the above info, when I ping 10.10.0.5 from a workstation in VLAN 10, it should match rule 10, but instead if matches rule 50 (as shown by the 5 matches)
Makes no sense to me as the logic, addressing and wildcard masks seem ok. What am I doing wrong?
Thanks!
Marc
Solved! Go to Solution.
04-20-2012 07:32 AM
The flow direction on a Vlan is as followed:
If you have an ACL in the 'in' direction it will match 10.104.10.x/24 as the source
If you have an ACL in the 'out' direction it will match 10.104.10.x/24 as the destination
In your case, you are matching on the return traffic 10.0.0.0/8, thus your are seeing the expected result.
Regards,
Edison
04-20-2012 07:32 AM
The flow direction on a Vlan is as followed:
If you have an ACL in the 'in' direction it will match 10.104.10.x/24 as the source
If you have an ACL in the 'out' direction it will match 10.104.10.x/24 as the destination
In your case, you are matching on the return traffic 10.0.0.0/8, thus your are seeing the expected result.
Regards,
Edison
04-20-2012 07:43 AM
I am actually working on this right now and while I understand my logic might be reversed, either way it doesn't match the traffic!
I reduced my ACL to 2 lines for testing and applied the ACL inbound and outbound to see if it was matching one way or the other. It matches neither...
If I ping 10.10.0.5, I should match the return traffic from this address and I get no match.
Extended IP access list VLAN10_TRAFFIC_FLOW
10 permit ip any 10.10.0.0 0.0.0.255
20 permit ip any any (1809 matches)!
interface Vlan10
description DATA
ip address 10.104.10.1 255.255.255.0ip access-group VLAN10_TRAFFIC_FLOW in
ip access-group VLAN10_TRAFFIC_FLOW out
end
04-20-2012 07:51 AM
The matches above are software counters and traffic leaving the switch are hardware switched.
The matches are on the return traffic. Can you change
permit ip any 10.10.0.0 0.0.0.255
with
deny ip any 10.10.0.0 0.0.0.255
I'm sure the ping will fail.
04-20-2012 07:57 AM
Nope. It still matches the permit any any.
And the traffic is routed out the switch through a routed port uplinked to the core switches.
04-20-2012 08:00 AM
Where are you pinging from?
You must ping from a workstation in Vlan 10
04-20-2012 08:01 AM
I am
04-20-2012 08:03 AM
Can you post the new ACL?
Can you post the entire config?
04-20-2012 08:44 AM
! Identification
hostname NETMTLALS04
!
! Host Name Resolution (Using Domain Controllers as DNS sources)
ip name-server 10.10.110.50
ip name-server 10.20.110.50
!
! Spanning-tree configuration as a fail-safe
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast default
spanning-tree portfast bpduguard default
udld aggressive
!
! VTP in Transparent Mode (Unused)
vtp mode transparent
!
! Security
no ip http server
no ip http secure-server
no service config
service tcp-keepalives-in
service tcp-keepalives-out
service password-encryption
crypto key generate rsa general-keys modulus 2048
!
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh version 2
!
! Prevent SSH connections to point to point addresses
ip access-list extended SSH_Restrictions
deny tcp any 172.16.0.0 0.0.255.255 eq 22
permit ip any any
!
! DHCP security
ip dhcp snooping
ip dhcp snooping vlan 10
ip dhcp snooping vlan 20
ip dhcp snooping vlan 30
ip dhcp snooping vlan 40
!
! Local console configuration
line con 0
logging synchronous
exec-timeout 30 0
login authentication default
!
! Serial lines configuration
line vty 0 15
transport input ssh
transport output ssh
logging synchronous
exec-timeout 10 0
login authentication default
!
!========================================================================
!
! Resource management
memory reserve critical 4096
memory free low-watermark processor 20000
exception memory ignore overflow io
exception memory ignore overflow processor
!
!========================================================================
!
! Enable routing features
ip routing
!
! EIGRP Routing Protocol Configuration
router eigrp 751
eigrp log-neighbor-changes
eigrp stub
eigrp router-id 10.104.0.1
network 10.0.0.0
network 172.16.0.0
no auto-summary
passive-interface default
no passive-interface TenGigabitEthernet1/1
no passive-interface TenGigabitEthernet1/2
!
!========================================================================
!
interface range gigabitethernet 0/1 - 48
switchport
switchport access vlan 10
switchport voice vlan 40
switchport mode access
power inline never
switchport port-security maximum 2
switchport port-security mac-address sticky
switchport port-security violation shutdown
switchport port-security
ip access-group SSH_Restrictions in
!
interface tengigabitethernet 1/1
no switchport
ip authentication mode eigrp 751 md5
ip authentication key-chain eigrp 751 EIGRPKEYS
ip hello-interval eigrp 751 3
ip hold-time eigrp 751 10
load-interval 30
carrier-delay msec 0
ip summary-address eigrp 751 10.104.0.0 255.255.0.0
ip address 172.16.10.113 255.255.255.254
ip access-group SSH_Restrictions in
!
interface tengigabitethernet 1/2
no switchport
ip authentication mode eigrp 751 md5
ip authentication key-chain eigrp 751 EIGRPKEYS
ip hello-interval eigrp 751 3
ip hold-time eigrp 751 10
load-interval 30
carrier-delay msec 0
ip summary-address eigrp 751 10.104.0.0 255.255.0.0
ip address 172.16.10.213 255.255.255.254
ip access-group SSH_Restrictions in
!
interface loopback0
ip address 10.104.0.1 255.255.255.255
!
interface Vlan10
description DATA
ip address 10.104.10.1 255.255.255.0
ip access-group VLAN10_TRAFFIC_FLOW out
!
interface Vlan20
description WIFI Corp
ip address 10.104.20.1 255.255.255.0
ip access-group VLAN20_TRAFFIC_FLOW out
!
interface Vlan30
description WIFI Guests
ip address 10.104.30.1 255.255.255.0
ip access-group VLAN30_TRAFFIC_FLOW out
!
interface Vlan40
description VOIP
ip address 10.104.40.1 255.255.255.0
ip access-group VLAN40_TRAFFIC_FLOW out
!
!========================================================================
!
vlan 1
shutdown
vlan 10
name DATA
vlan 20
name WIFI
vlan 30
name WIFI_Guests
vlan 40
name VOIP
vlan 1000
name BLACKHOLE
!
!========================================================================
!
ip access-list extended VLAN10_TRAFFIC_FLOW
permit ip any 10.0.100.0 0.255.0.255
permit ip any 10.0.110.0 0.255.0.255
permit ip any 10.0.120.0 0.255.0.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
permit ip any any
ip access-list extended VLAN20_TRAFFIC_FLOW
permit ip any 10.0.100.0 0.255.0.255
permit ip any 10.0.110.0 0.255.0.255
permit ip any 10.0.120.0 0.255.0.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
permit ip any any
ip access-list extended VLAN30_TRAFFIC_FLOW
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
permit ip any any
ip access-list extended VLAN40_TRAFFIC_FLOW
permit ip any 10.0.40.0 0.255.0.255
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.255.255
permit ip any any
04-20-2012 09:32 AM
Let's start with Vlan 10,
Can you apply this configuration?
interface Vlan10
description DATA
ip address 10.104.10.1 255.255.255.0
ip access-group VLAN10_TRAFFIC_FLOW in
ip access-list extended VLAN10_TRAFFIC_FLOW
permit ip any 10.10.0.0 0.0.0.255
permit ip any 10.10.100.0 0.0.0.255
permit ip any 10.10.110.0 0.0.0.255
permit ip any 10.10.120.0 0.0.0.255
deny ip any 10.0.0.0 0.255.255.255
permit ip any any
04-20-2012 09:47 AM
I tried that already. I actually had both IN and OUT enabled and the show access-list didn't match either way. The only time I got a match was doing a traceroute, but pings don't match, nor do HTTP requests, etc...
The permits have a strange wildcard mask in the original config so i changed all the permits to "normal" masks for testing purpose as you can see in my initial post, to rule that out.
And actually, if I do the ip access-group IN like you suggest, I lose connectivity completely. All traffic coming in from the inside network on 10.104.10.x gets denied by the last line.
04-20-2012 10:46 AM
If you apply the access-list as I suggested, you shouldn't lose all connectivity. Only to 10/8 networks except the ones permitted.
The permit ip any any should cover the rest.
I just tested the concept in the lab and it works. Not sure about your setup.
04-20-2012 11:01 AM
Well, since my workstation is in VLAN10 (10.104.10.x), and to SSH to the switch I need access to the 10.104.0.1 (The loopback 0 is the interface used for management), I lose the connection to the switch.
That's what I meant by lose connectivity.
I added an ACL to allow that address...
If I traceroute to external routes, everything works, i see the counter go up in the access list matches. but pings are no show. probably a bad tool to test against ACLs.
So in the end, it seems as if the issue was mostly with the IN vs OUT on my command. I'll update a few switches and post an update here. thanks for your help Much appreciated.
04-20-2012 01:03 PM
Try this solution, using VACL, for similar problem.
https://supportforums.cisco.com/message/3581383#3581383
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide