The IP address on the secondary (stand-by) switch is reachable with HSRP and VACL's configured

nvaert1986 · ‎11-27-2018

I've got a question regarding HSRP in combination with VACL's on 2 Cisco Catalyst 3650 switches with IP Base.

I've configured HSRP on a few VLAN's and configured a VACL. I did the same on the secondary (stand-by) switch, but for some reason the primary IP address of the secondary switch, which is in stand-by mode is reachable using ICMP. Devices connected through the Cisco Catalyst 3650. The VACL's are working fine for the other IP addresses.

CSWT001

vlan access-map production 10
 match ip address acl_production
 action drop
vlan access-map production 20
 match ip address acl_match_all
 action forward
!
vlan filter production vlan-list 19

ip access-list extended acl_match_all
 permit ip any any
ip access-list extended acl_production
 permit ip 10.0.19.0 0.0.0.255 10.0.12.0 0.0.0.255
 permit ip 10.0.12.0 0.0.0.255 10.0.19.0 0.0.0.255

interface Vlan17
 description Production
 ip address 10.0.17.253 255.255.255.0
 standby version 2
 standby 1 ip 10.0.17.254
 standby 1 priority 1
 standby 1 preempt
 standby 1 authentication md5 key-string 7 XXX
!
interface Vlan19
 description Production
 ip address 10.0.19.253 255.255.255.0
 standby version 2
 standby 19 ip 10.0.19.254
 standby 19 priority 1
 standby 19 preempt
 standby 19 authentication md5 key-string 7 XXX

CSWT002

vlan access-map production 10
 match ip address acl_production
 action drop
vlan access-map production 20
 match ip address acl_match_all
 action forward
!
vlan filter production vlan-list 19

ip access-list extended acl_match_all
 permit ip any any
ip access-list extended acl_production
 permit ip 10.0.19.0 0.0.0.255 10.0.12.0 0.0.0.255
 permit ip 10.0.12.0 0.0.0.255 10.0.19.0 0.0.0.255

interface Vlan17
 description Production
 ip address 10.0.17.252 255.255.255.0
 standby version 2
 standby 1 ip 10.0.17.254
 standby 1 priority 2
 standby 1 authentication md5 key-string 7 XXX
!
interface Vlan19
 description Production
 ip address 10.0.19.252 255.255.255.0
 standby version 2
 standby 19 ip 10.0.19.254
 standby 19 priority 2
 standby 19 preempt
 standby 19 authentication md5 key-string 7 XXX

nvaert1986 · ‎11-27-2018

P.S.: For some reason traceroute is skipping a hop when going to the .252 address and the reason is unknown for me.

Traceroute to 10.0.19.252 (which is supposed to be blocked)

Tracing route to 10.0.19.252 over a maximum of 30 hops

  1     2 ms     2 ms     2 ms  10.0.19.252

Trace complete.

Traceroute to 10.0.19.253 which actually does go through 10.0.12.x first (which is the active IP adress of the virtual default gateway (the gateway is 10.0.12.254)

Tracing route to 10.0.19.253 over a maximum of 30 hops

  1     2 ms     3 ms     2 ms  10.0.12.252
  2 *

That while there is nothing regarding 10.0.19.* directly in my routing table

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.0.12.254       10.0.12.40     25
        10.0.11.1  255.255.255.255      10.0.12.254       10.0.12.40     26
        10.0.11.2  255.255.255.255      10.0.12.254       10.0.12.40     26
        10.0.12.0    255.255.255.0         On-link        10.0.12.40    281
       10.0.12.40  255.255.255.255         On-link        10.0.12.40    281
      10.0.12.255  255.255.255.255         On-link        10.0.12.40    281
       10.0.99.17  255.255.255.255         On-link        10.0.99.17    257
     10.0.100.252  255.255.255.252         On-link        10.0.99.17      2
     10.0.100.255  255.255.255.255         On-link        10.0.99.17    257
       10.0.101.0    255.255.255.0         On-link        10.0.99.17      2

gaston.benitez · ‎11-28-2018

Hi.

Did you try to apply the VACL to vlan 12 also, so it natches both vlans 19 and 12?

BR

Gaston