cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

888
Views
0
Helpful
8
Replies

intervlan vlan blocking by ACL

Hi,

I configured the Cisco Catalyst switch 4500 series. I have configured the acl for to block other traffic but intervlan also got blocked.

please assist me.

Configuration:

interface Vlan1
 description Transit_User_VLAN
 ip address 10.104.64.2 255.255.255.0
 ip access-group 1 in
 ip helper-address 10.104.39.21
 ip helper-address 10.104.120.21
 vrrp 1 ip 10.104.64.1

interface Vlan9
 description SG-WAN-VLAN
 ip address 10.104.99.1 255.255.255.0
 ip access-group 119 in
 vrrp 9 ip 10.104.99.1

access-list 1 deny   192.168.103.19
access-list 1 deny   192.168.1.254
access-list 1 permit any

access-list 119 permit udp any any eq bootps
access-list 119 permit udp any any eq bootpc
access-list 119 permit icmp any 10.104.99.0 0.0.0.255
access-list 119 deny   ip 10.104.99.0 0.0.0.255 any log
access-list 119 deny   ip 10.104.32.0 0.0.1.255 host 10.250.2.102 log
access-list 119 deny   ip 10.104.32.0 0.0.1.255 host 10.250.5.70 log
access-list 119 deny   ip 10.104.32.0 0.0.1.255 host 10.250.5.119 log
access-list 119 deny   ip 10.104.34.0 0.0.0.255 host 10.250.2.102 log
access-list 119 deny   ip 10.104.34.0 0.0.0.255 host 10.250.5.70 log
access-list 119 deny   ip 10.104.34.0 0.0.0.255 host 10.250.5.119 log
access-list 119 deny   ip 10.104.36.0 0.0.0.255 host 10.250.2.102 log
access-list 119 deny   ip 10.104.36.0 0.0.0.255 host 10.250.5.70 log
access-list 119 deny   ip 10.104.36.0 0.0.0.255 host 10.250.5.119 log
access-list 119 permit ip any any

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

hi,

hi,

when you apply an acl in SVI to in direction, this affects source network its vlan id.

Host at VLAN 1 ------- SVI 1

Host at VLAN 9 ------- SVI 9

inbound acl affects when vlan 9 communication to other vlans.

access-list 119 deny   ip 10.104.99.0 0.0.0.255 any log

this line block your communication.

Best regards.

View solution in original post

Participant

lets see..vlan 1 <-->vlan 9as

lets see..
vlan 1 <-->vlan 9
as previous speaker said, this string blocks traffic
access-list 119 deny ip 10.104.99.0 0.0.0.255 any log


vlan 1 <--> vlan 45
everything should work, on interface vlan45 no ACL applied


vlan 45 <--> vlan 9
also should work

vlan 45 <-->vlan 41
in ACL 141 you actually blocked all trffic from hosts in vlan 41 going to vlan 45 network 10.103.33.6 since there is no permit entry fro this


vlan 5 <--> vlan 99
vlan 5 does not exist in your configuration
on interface vlan 99 you apllied ACL 199, it permits only hosts from vlan 99 network to visit just one host 224.0.0.18

Also your config is rather strange - ACL are organized without any logic, it seems you do not understand IN and OUT directions. I would recommend to use named extended ACLs everywhere - it will make sense to you later if you will want to analyze or change something.

So many static routes - use dynamic routing! You will definitely get confused and administrative oain and overhead in future supporting this hell.

View solution in original post

8 REPLIES 8
Participant

Hi

Hi

how did you determine that inter-vlan traffic is being blocked?

I have connected to the

I have connected to the access switches in vlan 1 and vlan 9 with the Pc's when try to ping the other side cannot able to ping, when I disable the acl under the vlan, I can able to ping other side.

Participant

aydinnmu1 showed the answer

aydinnmu1 showed the answer

Highlighted
Beginner

hi,

hi,

when you apply an acl in SVI to in direction, this affects source network its vlan id.

Host at VLAN 1 ------- SVI 1

Host at VLAN 9 ------- SVI 9

inbound acl affects when vlan 9 communication to other vlans.

access-list 119 deny   ip 10.104.99.0 0.0.0.255 any log

this line block your communication.

Best regards.

View solution in original post

Hi aydinnmu,

Hi aydinnmu,

thank you for trying help me. I have attached the full config.

I have below intervlan problem. all are different acl, I couldn't able to find the root cause.

vlan 1 <-->vlan 9

vlan 1 <--> vlan 45

vlan 45 <--> vlan 9

vlan 45 <-->vlan 41

vlan 5 <--> vlan 99

Please help me to find the issue.

Thanks

Participant

lets see..vlan 1 <-->vlan 9as

lets see..
vlan 1 <-->vlan 9
as previous speaker said, this string blocks traffic
access-list 119 deny ip 10.104.99.0 0.0.0.255 any log


vlan 1 <--> vlan 45
everything should work, on interface vlan45 no ACL applied


vlan 45 <--> vlan 9
also should work

vlan 45 <-->vlan 41
in ACL 141 you actually blocked all trffic from hosts in vlan 41 going to vlan 45 network 10.103.33.6 since there is no permit entry fro this


vlan 5 <--> vlan 99
vlan 5 does not exist in your configuration
on interface vlan 99 you apllied ACL 199, it permits only hosts from vlan 99 network to visit just one host 224.0.0.18

Also your config is rather strange - ACL are organized without any logic, it seems you do not understand IN and OUT directions. I would recommend to use named extended ACLs everywhere - it will make sense to you later if you will want to analyze or change something.

So many static routes - use dynamic routing! You will definitely get confused and administrative oain and overhead in future supporting this hell.

View solution in original post

Hi Actually I know this

Hi Actually I know this configuration doesn't make sense. Our customer migrating foundry core switches to Cisco core switch. As they required same config as foundry switch, we don't have choice to configure with dynamic routing. Everything fine when we migrated except the acl.

small correction: that is not vlan 5<-->99

its vlan 45 <--> 99

Beginner

Hi,

Hi,

i couldn't see any other problems except vlan 9. 

But i think you should summarize these lines. 

access-list 141 permit ip any 192.168.103.0 0.0.0.255
access-list 141 permit ip any 192.168.104.0 0.0.0.255
access-list 141 permit ip any 192.200.200.0 0.0.0.255
access-list 141 permit ip any 192.200.201.0 0.0.0.255
access-list 141 permit ip any 192.200.203.0 0.0.0.255
access-list 141 permit ip any 192.200.204.0 0.0.0.255
access-list 141 permit ip any 192.200.205.0 0.0.0.255
access-list 141 permit ip any 192.168.110.0 0.0.0.255
access-list 141 permit ip any 192.168.111.0 0.0.0.255
access-list 141 permit ip any 192.168.112.0 0.0.0.255

wildcard mask more flexible than subnet mask. You can set more custom values. İt seems more complivated and read to hard.

Best regards.
CreatePlease to create content
Content for Community-Ad