Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1304
Views
0
Helpful
7
Replies

LOCAL ROUTING ISSUES

Go to solution
al_fredo79
Level 1
Level 1

‎09-13-2019 04:01 AM

Hi everyone, I come across with an issue I did nont expected and honestly I do not know how I can resolve it without impacting the whole network desing.

 

Basically I have three vlan,10,20,30 with their respective subnets: 172.28.28.0/24,172.28.29.0/24 and 172.28.30.0/24.

 

Everything is working fine so far. Thing is that we set the configuration of a NIC card on a PC within the vlan 20 whose IP address is 172.28.29.10 and by mistake we set the subnet mask to a 255.255.0.0 instead of a /24 as it should be.

 

Our problem is that we can ping all the vlans even if we set a wrong subnet mask.

 

Is it possible to filter  traffic from the /16 mask allowing traffic from the /24 mask?

 

Topology is : three access switches (one for each vlan) connected in trunk to a L3-SWITCH in which there are three SVI interfaces for performing intevlan-routing.

 

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to al_fredo79

‎09-14-2019 11:22 AM

If I am understanding correctly the issue with the access list is that as configured the access list is checking for an incorrectly configured IP address (looking for a source address that is not in 172.28.29). But the problem is not about the configured address but is about the mask. I do not know of a way to use an access list and detect anything about the configured mask.

 

In reading the discussion I wondered if the issue might be that the PC configured with a /16 would simply arp for destinations, and if it received an arp response then it simply forwards the packets with the appropriate host mac address (which avoids the IP forwarding logic of the interface). If this really is the issue then perhaps the solution would be to disable proxy arp on the interface. This would allow arp to locally connected devices but not to devices in other subnets.

 

But as I think about the original post I am not at all clear about what the problem really is. We have this statement "Our problem is that we can ping all the vlans even if we set a wrong subnet mask". Does that imply that there are some destinations that should not be reachable from 172.28.29? If so please identify what these destinations are. Once we know what destinations should not be reachable it should be possible to write an access list that will deny access to those destinations and permit access to others. Please provide clarification about what the problem really is.

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Georg Pauwen
VIP
VIP

‎09-13-2019 04:33 AM

Hello,

 

use an access list. The order is important If you allow the 172.16.x.0/24 network in the first statement, and then deny 172.16.0.0/16 in the next, the /24 network will be allowed.

 

If you don't know how to do that, post the running configuration of your L3 switch, and indicate what exactly you want to block, and what to allow.

0 Helpful

Go to solution
al_fredo79
Level 1
Level 1
In response to Georg Pauwen

‎09-13-2019 05:43 AM

Hello Geroge,

First of all thanks a lot for you response,

Well, unfortunately it does not work when configuring access list. (see below the config on the L3 SWITCH)
sh access-lists
Extended IP access list 125
10 permit ip 172.28.29.0 0.0.0.255 any (476 matches) << This is OK perfect !!
20 deny ip 172.28.0.0 0.0.255.255 any << not working. PC can still ping other vlan even if we do not set the default gateway on the NIC card of the PC (Windows).

For examaple if we set the NIC card of the PC with an IP 172.28.29.10/16 instead of /24 as it should be, routing still works, but it is not the expected behavior. Only host within the 172.28.29.x/24 should be able for routing.
SVI config on L3-SWITCH
interface Vlan20
ip address 172.28.29.1 255.255.255.0 << default GW for vlan 20
ip access-group 125 in
end

SW-STACK#sh run interface vlan 30
Building configuration...

Current configuration : 62 bytes
!
interface Vlan30
ip address 172.28.30.1 255.255.255.0 << default gw vlan 30
end

SW-STACK#sh run interface vlan 40
Building configuration...

Current configuration : 62 bytes
!
interface Vlan40
ip address 172.28.31.1 255.255.255.0 << default GW vlan 40.

Is it possible that the problem could be that this is a continous network /16 so that even if we set a /16 (by mistake) PC's can still communicate with other Pc in other vlans as if they were in the same L2 Broadcast domain?
0 Helpful

Go to solution
paul driver
VIP
VIP

‎09-13-2019 05:38 AM - edited ‎09-13-2019 06:03 AM

Hello

Not sure i understand - Please confirm

You set an subnet mask of a single host pc which incorporates  /16 network range instead or a /24 and you wish to negate this host from pinging or accessing you whole network?

So why would this single act impact you whole network, are you wanting to limit access between your vlans and deny anything else?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
al_fredo79
Level 1
Level 1
In response to paul driver

‎09-13-2019 06:23 AM

Hi Paul, first of all I would like to thank you for your time,

Well, the main concern is about design/security, in terms of avoiding someone having access to the network with a misconfiguration of the NIC card. I mean, only devices on the 172.28.29.0/24 should be able to communicate with devices in other vlan.
I guess the problem is that all three vlan subnets begin with 172.28.x.x/24 so if by mistake (as it has happend) a device is set with an ip address 172.28.x.x/16, that device would have access to all three vlans. I guess it should not be like that otherwise we could have choosen one subnet 172.28.x.x/16, meaning, one brodcast domain,instead there are three different Broadcast domain, and is better if it remains like that unless we cannot find a workaround to avoid access from a misconfigured deviced using a classful network mask.
Unfortunately, access list as i posted before does not work, neither Vlan filtering, so i do not know how to go on sincerely.
Thanks for your support, if you could kindly guide me or suggest how we can resolve this issue, It would be great.
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to al_fredo79

‎09-14-2019 11:22 AM

If I am understanding correctly the issue with the access list is that as configured the access list is checking for an incorrectly configured IP address (looking for a source address that is not in 172.28.29). But the problem is not about the configured address but is about the mask. I do not know of a way to use an access list and detect anything about the configured mask.

 

In reading the discussion I wondered if the issue might be that the PC configured with a /16 would simply arp for destinations, and if it received an arp response then it simply forwards the packets with the appropriate host mac address (which avoids the IP forwarding logic of the interface). If this really is the issue then perhaps the solution would be to disable proxy arp on the interface. This would allow arp to locally connected devices but not to devices in other subnets.

 

But as I think about the original post I am not at all clear about what the problem really is. We have this statement "Our problem is that we can ping all the vlans even if we set a wrong subnet mask". Does that imply that there are some destinations that should not be reachable from 172.28.29? If so please identify what these destinations are. Once we know what destinations should not be reachable it should be possible to write an access list that will deny access to those destinations and permit access to others. Please provide clarification about what the problem really is.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
al_fredo79
Level 1
Level 1
In response to Richard Burts

‎09-17-2019 07:00 AM

Hi Richard,

 

First of all, I would like to thank you for your support and for your time, thanks a lot.

 

It seems to be that you did understand well the issue because when I applied the config that you thought it might work (disabling proxy-arp) ,well, guess what, it worked !!!.

 

So after performing further tests, once a misconfigured netmask is set on any PC of the 172.28.29.x/24 subnet, it does not reach any other subnet as expected,only a correct setting of a subnet mask would do.

 

With regards to inter-vlan routing, I should say that is working fine applying the proper access list to allow/deny traffic from other subnets as per design requirements.

 

Well Richard what else can i say? TOP PLAYER.

 

Muchas Gracias

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to al_fredo79

‎09-17-2019 08:22 AM

You are welcome. I am glad that our suggestions have been helpful. One of the benefits of this community is that you may have several people looking at the issue and offering their perspective. In my experience several sets of eyes looking at it are frequently beneficial. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents