Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1645
Views
0
Helpful
3
Replies

Random ACL blocking on L3 Switch

alochow
Level 1
Level 1

‎01-20-2020 11:37 AM

I have a number of VLANs that are configured to have access between them. One of my VLANs has it's L3 interface and routing configured to basically allow all traffic from all other VLANs that it knows, but it has a deny on anything that does not match the IP for anything else.

 

Switch is dual C3850 48XS in Stackwise Virtual.

 

VLAN XYZ: 192.168.3.0/24 (Int VLAN XYZ 192.168.3.1)

VLAN ABC: 192.168.1./24 (Int VLAN ABC 192.168.1.1)

 

 

ACL Example:

Extended IP Access-List XYZ

10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

999 deny ip any any log

 

The problem I am having is that once implemented, some hosts (ESXi) on the ABC vlan lose their ability to connect with machines on the XYZ vlan. On about half of the ABC hosts, I can ping sucessfully anything on the XYZ VLAN. But the other half, are unable. 

 

Disabling the ACL fixes the issue. I'm stumped what is causing this. Sorry I cant post actual outputs from the switch. 

 

Regards,

-Andrew

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎01-20-2020 11:47 AM

how about adding another source also return traffic like the below test and let us know. (not sure where you applied this ACL, ( can you provide more information)

 

or try below example :

 

 

Extended IP Access-List XYZ

10 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

999 deny ip any any log

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

alochow
Level 1
Level 1
In response to balaji.bandi

‎01-20-2020 02:03 PM - edited ‎01-20-2020 02:10 PM

I have done that also without any luck. 

 

Oddly, If I extend the network to a class B, like this: 

 

10 permit ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255

 

It works. I thought perhaps maybe I am routing strangely or something, but I tried adding literally every subnet I have in my network individually with rules, and it isn't until I expand the network to a class B that it seems to work.

 

I dont think that this is a legitimate solution to my problem, as I would like to be more granular with my rulesets.

 

Also my L3 interface ACL is configured as an inbound rule like this:

 

ip access-group XYZ in

 

Additionally the ABC Vlan does not have any ACLs applied to it presently.

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to alochow

‎01-21-2020 12:23 AM

As per your description, you have mentioned the original post, number VLAN in the network.

 

Esxi / or under VM application hosting may require other IP address communication? 

 

can you post complete configuration and tell us what port Esxi connected and what is the IP range inside ESXI also ? if not .3.X ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card