ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
518
Views
0
Helpful
3
Replies
Highlighted
Beginner

Random ACL blocking on L3 Switch

I have a number of VLANs that are configured to have access between them. One of my VLANs has it's L3 interface and routing configured to basically allow all traffic from all other VLANs that it knows, but it has a deny on anything that does not match the IP for anything else.

 

Switch is dual C3850 48XS in Stackwise Virtual.

 

VLAN XYZ: 192.168.3.0/24 (Int VLAN XYZ 192.168.3.1)

VLAN ABC: 192.168.1./24 (Int VLAN ABC 192.168.1.1)

 

 

ACL Example:

Extended IP Access-List XYZ

10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

999 deny ip any any log

 

The problem I am having is that once implemented, some hosts (ESXi) on the ABC vlan lose their ability to connect with machines on the XYZ vlan. On about half of the ABC hosts, I can ping sucessfully anything on the XYZ VLAN. But the other half, are unable. 

 

Disabling the ACL fixes the issue. I'm stumped what is causing this. Sorry I cant post actual outputs from the switch. 

 

Regards,

-Andrew

Everyone's tags (3)
3 REPLIES 3
Highlighted
VIP Mentor

Re: Random ACL blocking on L3 Switch

how about adding another source also return traffic like the below test and let us know. (not sure where you applied this ACL, ( can you provide more information)

 

or try below example :

 

 

Extended IP Access-List XYZ

10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

999 deny ip any any log

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: Random ACL blocking on L3 Switch

I have done that also without any luck. 

 

Oddly, If I extend the network to a class B, like this: 

 

10 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255

 

It works. I thought perhaps maybe I am routing strangely or something, but I tried adding literally every subnet I have in my network individually with rules, and it isn't until I expand the network to a class B that it seems to work.

 

I dont think that this is a legitimate solution to my problem, as I would like to be more granular with my rulesets.

 

Also my L3 interface ACL is configured as an inbound rule like this:

 

ip access-group XYZ in

 

Additionally the ABC Vlan does not have any ACLs applied to it presently.

 

Highlighted
VIP Mentor

Re: Random ACL blocking on L3 Switch

As per your description, you have mentioned the original post, number VLAN in the network.

 

Esxi / or under VM application hosting may require other IP address communication? 

 

can you post complete configuration and tell us what port Esxi connected and what is the IP range inside ESXI also ? if not .3.X ?

 

BB
*** Rate All Helpful Responses ***
Content for Community-Ad