Having a sort of weird issue with ACL's that seems to not apply to devices evenly. Setup: R1 - VLAN 2 - 10.2.0.2, VLAN 10 - 10.0.0.2, VLAN 11 - 10.0.1.2, VLAN 99 - 10.99.0.2 R2 - VLAN 2 - 10.2.0.3, VLAN 10 - 10.0.0.3, VLAN 11 - 10.0.1.3, VLAN 99 - 10.99.0.3 HSRP is configured for these two routers, with 10.X.X.1 being the virtual IP address, R1 will preempt. S1 - VLAN 2 - 10.2.0.4 ACL on routers. Extended IP access list EXTERNAL_DATA (VLAN99) 10 permit udp any any eq bootpc (6 matches) 20 permit udp any any eq bootps (363 matches) 30 deny ip 10.99.0.0 0.0.0.255 10.0.0.0 0.255.255.255 (288569 matches) 40 deny ip 10.99.0.0 0.0.0.255 192.168.0.0 0.0.255.255 (238 matches) 50 deny ip 10.99.0.0 0.0.0.255 22.214.171.124 0.31.255.255 (3 matches) 60 permit ip 10.99.0.0 0.0.0.255 any (8827545 matches) Extended IP access list INTERNAL_DATA (VLAN10) 10 permit udp any any eq bootpc (2482 matches) 20 permit udp any any eq bootps (3199 matches) 30 deny ip 10.99.0.0 0.0.0.255 any 40 deny ip 10.255.1.0 0.0.0.255 any 50 deny ip 10.255.2.0 0.0.0.255 any 60 deny ip 10.0.1.0 0.0.0.255 any 70 deny ip 10.2.0.0 0.0.0.255 any (12 matches) 80 permit ip 10.0.0.0 0.0.0.255 any (18578356 matches) Extended IP access list INTERNAL_WIFI (VLAN11) 10 permit udp any any eq bootpc 20 permit udp any any eq bootps (874 matches) 30 deny ip 10.99.0.0 0.0.0.255 any 40 deny ip 10.255.1.0 0.0.0.255 any 50 deny ip 10.255.2.0 0.0.0.255 any 60 deny ip 10.0.0.0 0.0.0.255 any 70 deny ip 10.2.0.0 0.0.0.255 any 80 permit ip 10.0.1.0 0.0.0.255 any (4353123 matches) Extended IP access list MANAGEMENT_TRAFFIC (VLAN2) 10 permit udp any any eq bootpc (19 matches) 20 permit udp any any eq bootps (2102 matches) 30 deny ip 10.99.0.0 0.0.0.255 any (27 matches) 40 deny ip 10.255.1.0 0.0.0.255 any 50 deny ip 10.255.2.0 0.0.0.255 any 60 deny ip 10.0.0.0 0.0.0.255 any (52 matches) 70 deny ip 10.0.1.0 0.0.0.255 any (4 matches) 80 permit ip 10.2.0.0 0.0.0.255 any (1385946 matches) So what the issue is that i have noticed, is that R2 is not accessible from VLAN 10, when trying to ping its management vlan IP address. Ex Ping from 10.0.0.52 to 10.2.0.3 fails. However, the same source can ping 10.2.0.2, 10.2.0.4 and 10.2.0.10. To further test this, Ive run a ping from the subIF on both R1 and R2 from their 10.0.0.x interfaces to 10.2.0.3/2 (VLAN2), both are unable to ping. So Im curious what I am missing in the ACL that allows most pings to work intervlan, yet some do not. I did note, that line 60 in Managment ACL counts up when running continuous pings that fail (Ie host pc to R2), but these ACL's are applied on inbound traffic on the subinterfaces. I think I have the flow correct for the ACL's and dont see how R2 is inaccessible but other devices are.
... View more
Having an issue with clients connecting to various WLANs getting DHCP leases from a scope configured for another VLAN. It was previously working for a couple days, but seemed to all of a sudden change to incorrect DHCP leases. Ex. a client connecting to WLAN99, configured for interface vlan99 on the vWLC, will get a dhcp lease of 10.2.0.X. The same event occurs when connecting to WLAN11, configured for interface vlan11 on the vWLC, getting 10.2.0.X. Intermittently, the WLAN99 wlan will get assigned 10.99.0.X. This setup was previously working correctly, but seemingly started occurring randomly yesterday afternoon. I have tried removing IP helper config off the routers sub-if for each vlan, doing so prevents any DHCP leases. Objective: Segregate traffic based on vlan. Router has ACL's to filter traffic based on vlan, (vlan 2,10,11 have access to other vlans, 99 is traffic leaving the network) Setup: VLANS- 10-10.0.0.X - internal wired 11-10.0.1.X - internal wireless 2-10.2.0.x - management 99-10.99.0.x - guest internet vWLC- Port 1-VLAN 2 Port 2-Trunk Switch(2960x)-All vlans configured on switch. vWLC connected to vSwitch with Trunk and VLAN 2, two vnics. Port channel to vSwitch configured as trunk, all vlans permitted. AP x3 (2702i)-connected to switch on gig2/0/1-3, switchport trunk, native vlan 2. Router x2 - gig0/0/2.2 , 0/0/2.10 , 0/0/2.11 and 0/0/2.99 - all have "ip helper address (dhcpserver1 on vlan10), ip helper address (dhcpserver2 on vlan10)". Router is configured for HSRP (if that matters.) DHCP server (10.0.0.50, 10.0.0.51)- Scopes configured for 10.0.0.X, 10.0.1.X, 10.2.0.X and 10.99.0.X. Not sure where the issue in the config is, hopefully its a simple oversight on config. Im new to the wlc setup.
... View more
Built a new config for a new 4331 ISR but cannot seem to get either internet access, nor ping devices on the network.
Gig0/0/0 - connected to an unconfigured switch, with cable modem connected
Gig0/0/2 - Connected to a 2960X switch on 1/0/49.
Cannot ping the switch @ 10.0.0.2. DHCP lease obtained from ISP on Gig0/0/0, but cannot ping 126.96.36.199.
Adjacent to this router, on the same switch, I have a 3825, running an almost identical config and has no issue with network access as well as internet access (on a separate switch stack)
What am I missing here?
Attached is the config from the router as well as output of "sh ip route".
... View more