cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
818
Views
0
Helpful
3
Replies
Highlighted
Beginner

Random ACL blocking on L3 Switch

I have a number of VLANs that are configured to have access between them. One of my VLANs has it's L3 interface and routing configured to basically allow all traffic from all other VLANs that it knows, but it has a deny on anything that does not match the IP for anything else.

 

Switch is dual C3850 48XS in Stackwise Virtual.

 

VLAN XYZ: 192.168.3.0/24 (Int VLAN XYZ 192.168.3.1)

VLAN ABC: 192.168.1./24 (Int VLAN ABC 192.168.1.1)

 

 

ACL Example:

Extended IP Access-List XYZ

10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

999 deny ip any any log

 

The problem I am having is that once implemented, some hosts (ESXi) on the ABC vlan lose their ability to connect with machines on the XYZ vlan. On about half of the ABC hosts, I can ping sucessfully anything on the XYZ VLAN. But the other half, are unable. 

 

Disabling the ACL fixes the issue. I'm stumped what is causing this. Sorry I cant post actual outputs from the switch. 

 

Regards,

-Andrew

3 REPLIES 3
Highlighted
VIP Expert

how about adding another source also return traffic like the below test and let us know. (not sure where you applied this ACL, ( can you provide more information)

 

or try below example :

 

 

Extended IP Access-List XYZ

10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

999 deny ip any any log



BB


*** Rate All Helpful Responses ***

Highlighted

I have done that also without any luck. 

 

Oddly, If I extend the network to a class B, like this: 

 

10 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255

 

It works. I thought perhaps maybe I am routing strangely or something, but I tried adding literally every subnet I have in my network individually with rules, and it isn't until I expand the network to a class B that it seems to work.

 

I dont think that this is a legitimate solution to my problem, as I would like to be more granular with my rulesets.

 

Also my L3 interface ACL is configured as an inbound rule like this:

 

ip access-group XYZ in

 

Additionally the ABC Vlan does not have any ACLs applied to it presently.

 

Highlighted

As per your description, you have mentioned the original post, number VLAN in the network.

 

Esxi / or under VM application hosting may require other IP address communication? 

 

can you post complete configuration and tell us what port Esxi connected and what is the IP range inside ESXI also ? if not .3.X ?

 



BB


*** Rate All Helpful Responses ***

Content for Community-Ad