Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3337
Views
0
Helpful
8
Replies

intervlan vlan blocking by ACL

Go to solution
Jayaratnam Vinthan
Level 1
Level 1

‎04-06-2016 07:07 PM - edited ‎03-08-2019 05:16 AM

Hi,

I configured the Cisco Catalyst switch 4500 series. I have configured the acl for to block other traffic but intervlan also got blocked.

please assist me.

Configuration:

interface Vlan1
 description Transit_User_VLAN
 ip address 10.104.64.2 255.255.255.0
 ip access-group 1 in
 ip helper-address 10.104.39.21
 ip helper-address 10.104.120.21
 vrrp 1 ip 10.104.64.1

interface Vlan9
 description SG-WAN-VLAN
 ip address 10.104.99.1 255.255.255.0
 ip access-group 119 in
 vrrp 9 ip 10.104.99.1

access-list 1 deny   192.168.103.19
access-list 1 deny   192.168.1.254
access-list 1 permit any

access-list 119 permit udp any any eq bootps
access-list 119 permit udp any any eq bootpc
access-list 119 permit icmp any 10.104.99.0 0.0.0.255
access-list 119 deny   ip 10.104.99.0 0.0.0.255 any log
access-list 119 deny   ip 10.104.32.0 0.0.1.255 host 10.250.2.102 log
access-list 119 deny   ip 10.104.32.0 0.0.1.255 host 10.250.5.70 log
access-list 119 deny   ip 10.104.32.0 0.0.1.255 host 10.250.5.119 log
access-list 119 deny   ip 10.104.34.0 0.0.0.255 host 10.250.2.102 log
access-list 119 deny   ip 10.104.34.0 0.0.0.255 host 10.250.5.70 log
access-list 119 deny   ip 10.104.34.0 0.0.0.255 host 10.250.5.119 log
access-list 119 deny   ip 10.104.36.0 0.0.0.255 host 10.250.2.102 log
access-list 119 deny   ip 10.104.36.0 0.0.0.255 host 10.250.5.70 log
access-list 119 deny   ip 10.104.36.0 0.0.0.255 host 10.250.5.119 log
access-list 119 permit ip any any

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
aydinnmu1
Level 1
Level 1

‎04-07-2016 12:30 AM

hi,

when you apply an acl in SVI to in direction, this affects source network its vlan id.

Host at VLAN 1 ------- SVI 1

Host at VLAN 9 ------- SVI 9

inbound acl affects when vlan 9 communication to other vlans.

access-list 119 deny   ip 10.104.99.0 0.0.0.255 any log

this line block your communication.

Best regards.

View solution in original post

0 Helpful

Go to solution
dukenuk96
Level 3
Level 3
In response to Jayaratnam Vinthan

‎04-07-2016 02:16 AM

lets see..
vlan 1 <-->vlan 9
as previous speaker said, this string blocks traffic
access-list 119 deny ip 10.104.99.0 0.0.0.255 any log


vlan 1 <--> vlan 45
everything should work, on interface vlan45 no ACL applied


vlan 45 <--> vlan 9
also should work

vlan 45 <-->vlan 41
in ACL 141 you actually blocked all trffic from hosts in vlan 41 going to vlan 45 network 10.103.33.6 since there is no permit entry fro this


vlan 5 <--> vlan 99
vlan 5 does not exist in your configuration
on interface vlan 99 you apllied ACL 199, it permits only hosts from vlan 99 network to visit just one host 224.0.0.18

Also your config is rather strange - ACL are organized without any logic, it seems you do not understand IN and OUT directions. I would recommend to use named extended ACLs everywhere - it will make sense to you later if you will want to analyze or change something.

So many static routes - use dynamic routing! You will definitely get confused and administrative oain and overhead in future supporting this hell.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
dukenuk96
Level 3
Level 3

‎04-07-2016 12:09 AM

Hi

how did you determine that inter-vlan traffic is being blocked?

0 Helpful

Go to solution
Jayaratnam Vinthan
Level 1
Level 1
In response to dukenuk96

‎04-07-2016 12:31 AM

I have connected to the access switches in vlan 1 and vlan 9 with the Pc's when try to ping the other side cannot able to ping, when I disable the acl under the vlan, I can able to ping other side.

0 Helpful

Go to solution
dukenuk96
Level 3
Level 3
In response to Jayaratnam Vinthan

‎04-07-2016 12:33 AM

aydinnmu1 showed the answer

0 Helpful

Go to solution
aydinnmu1
Level 1
Level 1

‎04-07-2016 12:30 AM

hi,

when you apply an acl in SVI to in direction, this affects source network its vlan id.

Host at VLAN 1 ------- SVI 1

Host at VLAN 9 ------- SVI 9

inbound acl affects when vlan 9 communication to other vlans.

access-list 119 deny   ip 10.104.99.0 0.0.0.255 any log

this line block your communication.

Best regards.

0 Helpful

Go to solution
Jayaratnam Vinthan
Level 1
Level 1
In response to aydinnmu1

‎04-07-2016 01:32 AM

Hi aydinnmu,

thank you for trying help me. I have attached the full config.

I have below intervlan problem. all are different acl, I couldn't able to find the root cause.

vlan 1 <-->vlan 9

vlan 1 <--> vlan 45

vlan 45 <--> vlan 9

vlan 45 <-->vlan 41

vlan 5 <--> vlan 99

Please help me to find the issue.

Thanks

cisco_config_1.txt
Preview file
13 KB
0 Helpful

Go to solution
dukenuk96
Level 3
Level 3
In response to Jayaratnam Vinthan

‎04-07-2016 02:16 AM

lets see..
vlan 1 <-->vlan 9
as previous speaker said, this string blocks traffic
access-list 119 deny ip 10.104.99.0 0.0.0.255 any log


vlan 1 <--> vlan 45
everything should work, on interface vlan45 no ACL applied


vlan 45 <--> vlan 9
also should work

vlan 45 <-->vlan 41
in ACL 141 you actually blocked all trffic from hosts in vlan 41 going to vlan 45 network 10.103.33.6 since there is no permit entry fro this


vlan 5 <--> vlan 99
vlan 5 does not exist in your configuration
on interface vlan 99 you apllied ACL 199, it permits only hosts from vlan 99 network to visit just one host 224.0.0.18

Also your config is rather strange - ACL are organized without any logic, it seems you do not understand IN and OUT directions. I would recommend to use named extended ACLs everywhere - it will make sense to you later if you will want to analyze or change something.

So many static routes - use dynamic routing! You will definitely get confused and administrative oain and overhead in future supporting this hell.

0 Helpful

Go to solution
Jayaratnam Vinthan
Level 1
Level 1
In response to dukenuk96

‎04-07-2016 08:00 AM

Hi Actually I know this configuration doesn't make sense. Our customer migrating foundry core switches to Cisco core switch. As they required same config as foundry switch, we don't have choice to configure with dynamic routing. Everything fine when we migrated except the acl.

small correction: that is not vlan 5<-->99

its vlan 45 <--> 99

0 Helpful

Go to solution
aydinnmu1
Level 1
Level 1
In response to Jayaratnam Vinthan

‎04-07-2016 02:33 AM

Hi,

i couldn't see any other problems except vlan 9. 

But i think you should summarize these lines. 

access-list 141 permit ip any 192.168.103.0 0.0.0.255
access-list 141 permit ip any 192.168.104.0 0.0.0.255
access-list 141 permit ip any 192.200.200.0 0.0.0.255
access-list 141 permit ip any 192.200.201.0 0.0.0.255
access-list 141 permit ip any 192.200.203.0 0.0.0.255
access-list 141 permit ip any 192.200.204.0 0.0.0.255
access-list 141 permit ip any 192.200.205.0 0.0.0.255
access-list 141 permit ip any 192.168.110.0 0.0.0.255
access-list 141 permit ip any 192.168.111.0 0.0.0.255
access-list 141 permit ip any 192.168.112.0 0.0.0.255

wildcard mask more flexible than subnet mask. You can set more custom values. İt seems more complivated and read to hard. 

Best regards.
0 Helpful
Customers Also Viewed These Support Documents
li.common.scroll-to.top