11-27-2018 06:11 AM - edited 03-08-2019 04:41 PM
I've got a question regarding HSRP in combination with VACL's on 2 Cisco Catalyst 3650 switches with IP Base.
I've configured HSRP on a few VLAN's and configured a VACL. I did the same on the secondary (stand-by) switch, but for some reason the primary IP address of the secondary switch, which is in stand-by mode is reachable using ICMP. Devices connected through the Cisco Catalyst 3650. The VACL's are working fine for the other IP addresses.
CSWT001
vlan access-map production 10 match ip address acl_production action drop vlan access-map production 20 match ip address acl_match_all action forward ! vlan filter production vlan-list 19
ip access-list extended acl_match_all permit ip any any ip access-list extended acl_production permit ip 10.0.19.0 0.0.0.255 10.0.12.0 0.0.0.255 permit ip 10.0.12.0 0.0.0.255 10.0.19.0 0.0.0.255
interface Vlan17 description Production ip address 10.0.17.253 255.255.255.0 standby version 2 standby 1 ip 10.0.17.254 standby 1 priority 1 standby 1 preempt standby 1 authentication md5 key-string 7 XXX ! interface Vlan19 description Production ip address 10.0.19.253 255.255.255.0 standby version 2 standby 19 ip 10.0.19.254 standby 19 priority 1 standby 19 preempt standby 19 authentication md5 key-string 7 XXX
CSWT002
vlan access-map production 10 match ip address acl_production action drop vlan access-map production 20 match ip address acl_match_all action forward ! vlan filter production vlan-list 19
ip access-list extended acl_match_all permit ip any any ip access-list extended acl_production permit ip 10.0.19.0 0.0.0.255 10.0.12.0 0.0.0.255 permit ip 10.0.12.0 0.0.0.255 10.0.19.0 0.0.0.255
interface Vlan17 description Production ip address 10.0.17.252 255.255.255.0 standby version 2 standby 1 ip 10.0.17.254 standby 1 priority 2 standby 1 authentication md5 key-string 7 XXX ! interface Vlan19 description Production ip address 10.0.19.252 255.255.255.0 standby version 2 standby 19 ip 10.0.19.254 standby 19 priority 2 standby 19 preempt standby 19 authentication md5 key-string 7 XXX
11-27-2018 06:48 AM
P.S.: For some reason traceroute is skipping a hop when going to the .252 address and the reason is unknown for me.
Traceroute to 10.0.19.252 (which is supposed to be blocked)
Tracing route to 10.0.19.252 over a maximum of 30 hops 1 2 ms 2 ms 2 ms 10.0.19.252 Trace complete.
Traceroute to 10.0.19.253 which actually does go through 10.0.12.x first (which is the active IP adress of the virtual default gateway (the gateway is 10.0.12.254)
Tracing route to 10.0.19.253 over a maximum of 30 hops
1 2 ms 3 ms 2 ms 10.0.12.252
2 *
That while there is nothing regarding 10.0.19.* directly in my routing table
Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.0.12.254 10.0.12.40 25 10.0.11.1 255.255.255.255 10.0.12.254 10.0.12.40 26 10.0.11.2 255.255.255.255 10.0.12.254 10.0.12.40 26 10.0.12.0 255.255.255.0 On-link 10.0.12.40 281 10.0.12.40 255.255.255.255 On-link 10.0.12.40 281 10.0.12.255 255.255.255.255 On-link 10.0.12.40 281 10.0.99.17 255.255.255.255 On-link 10.0.99.17 257 10.0.100.252 255.255.255.252 On-link 10.0.99.17 2 10.0.100.255 255.255.255.255 On-link 10.0.99.17 257 10.0.101.0 255.255.255.0 On-link 10.0.99.17 2
11-28-2018 09:23 AM
Hi.
Did you try to apply the VACL to vlan 12 also, so it natches both vlans 19 and 12?
BR
Gaston
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide