01-20-2020 11:37 AM
I have a number of VLANs that are configured to have access between them. One of my VLANs has it's L3 interface and routing configured to basically allow all traffic from all other VLANs that it knows, but it has a deny on anything that does not match the IP for anything else.
Switch is dual C3850 48XS in Stackwise Virtual.
VLAN XYZ: 192.168.3.0/24 (Int VLAN XYZ 192.168.3.1)
VLAN ABC: 192.168.1./24 (Int VLAN ABC 192.168.1.1)
ACL Example:
Extended IP Access-List XYZ
10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
999 deny ip any any log
The problem I am having is that once implemented, some hosts (ESXi) on the ABC vlan lose their ability to connect with machines on the XYZ vlan. On about half of the ABC hosts, I can ping sucessfully anything on the XYZ VLAN. But the other half, are unable.
Disabling the ACL fixes the issue. I'm stumped what is causing this. Sorry I cant post actual outputs from the switch.
Regards,
-Andrew
01-20-2020 11:47 AM
how about adding another source also return traffic like the below test and let us know. (not sure where you applied this ACL, ( can you provide more information)
or try below example :
Extended IP Access-List XYZ
10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
999 deny ip any any log
01-20-2020 02:03 PM - edited 01-20-2020 02:10 PM
I have done that also without any luck.
Oddly, If I extend the network to a class B, like this:
10 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255
It works. I thought perhaps maybe I am routing strangely or something, but I tried adding literally every subnet I have in my network individually with rules, and it isn't until I expand the network to a class B that it seems to work.
I dont think that this is a legitimate solution to my problem, as I would like to be more granular with my rulesets.
Also my L3 interface ACL is configured as an inbound rule like this:
ip access-group XYZ in
Additionally the ABC Vlan does not have any ACLs applied to it presently.
01-21-2020 12:23 AM
As per your description, you have mentioned the original post, number VLAN in the network.
Esxi / or under VM application hosting may require other IP address communication?
can you post complete configuration and tell us what port Esxi connected and what is the IP range inside ESXI also ? if not .3.X ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide