Catalyst 4503 strange behaviour

Unanswered Question
Jan 28th, 2009

I have this problem:

3 switches - 1 - 4503 and 2 - 3750

They run in a cluster.

There is one 802.1Q trunk from each 3750 to the 4503.

On the 4503 i create 2 VLANs with SVIs.

VLAN 2 - 20.0.0.1/24

VLAN 3 - 30.0.0.1/24

and the default one

VLAN 1 - 192.168.1.x

All interfaces are up/up

Management IP addresses of switches are as follows:

4503 - 192.168.1.2

1st 3750 - 192.168.1.3

2nd 3750 - 192.168.1.4

And here is the problem:

I disable all routing as you may see in the configuration bellow and all VLANs have connection to each other through the SVI.

Generally I want VLAN 2 to have access to VLAN 1, VLAN 3 to have access to VLAN 1 but restrict access form VLAN 2 to VLAN 3.

Oops, wrong topic maybe...

Any help will be appriciated, thanks!

Current configuration : 2533 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service compress-config

service sequence-numbers

!

hostname Catalyst4503

!

boot-start-marker

boot system flash bootflash:cat4000-i5s-mz.122-25.EWA12.bin

boot-end-marker

!

no logging console

enable password **********

!

no aaa new-model

clock timezone GMT 0

clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct

qos dbl

qos map dscp 24 25 26 27 28 29 30 31 to tx-queue 4

qos map dscp 32 33 34 35 36 37 38 39 to tx-queue 4

qos map cos 3 to dscp 26

qos map cos 5 to dscp 46

qos

ip subnet-zero

no ip routing

no ip domain-lookup

!

cluster run

cluster enable NRS 0

cluster member 1 mac-address 001e.bee6.3e80

cluster member 2 mac-address 001e.f756.6780

!

no file verify auto

spanning-tree mode pvst

spanning-tree extend system-id

power redundancy-mode redundant

!

!

!

vlan internal allocation policy descending

!

policy-map autoqos-voip-policy

class class-default

dbl

!

!

interface GigabitEthernet1/1

!

interface GigabitEthernet1/2

!

interface GigabitEthernet2/1

!

interface GigabitEthernet2/2

!

interface GigabitEthernet2/3

switchport mode trunk

switchport nonegotiate

service-policy output autoqos-voip-policy

qos trust cos

auto qos voip trust

tx-queue 3

priority high

shape percent 33

macro description cisco-switch

spanning-tree link-type point-to-point

!

interface GigabitEthernet2/4

switchport mode trunk

switchport nonegotiate

service-policy output autoqos-voip-policy

qos trust cos

auto qos voip trust

tx-queue 3

priority high

shape percent 33

macro description cisco-switch

spanning-tree link-type point-to-point

!

interface GigabitEthernet2/5

!

interface GigabitEthernet2/6

!

interface GigabitEthernet2/7

!

interface GigabitEthernet2/8

!

interface GigabitEthernet2/9

!

interface GigabitEthernet2/10

!

interface GigabitEthernet2/11

!

interface GigabitEthernet2/12

!

interface GigabitEthernet2/13

!

interface GigabitEthernet2/14

!

interface GigabitEthernet2/15

!

interface GigabitEthernet2/16

!

interface GigabitEthernet2/17

!

interface GigabitEthernet2/18

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

no ip route-cache

!

interface Vlan2

ip address 20.0.0.1 255.255.255.0

no ip route-cache

!

interface Vlan3

ip address 30.0.0.1 255.255.255.0

no ip route-cache

!

interface Vlan6

ip address 60.0.0.1 255.0.0.0

no ip route-cache

shutdown

!

ip http server

!

!

!

!

!

!

line con 0

stopbits 1

line vty 0 4

password test

login

length 0

!

!

end

Catalyst4503#

Catalyst4503#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Catalyst4503(config)#no ip routing

Catalyst4503(config)#end

Catalyst4503#write

Building configuration...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smothuku Wed, 01/28/2009 - 23:02

Hi

Create extended accesslist and apply it to respective Vlan interfaces.

access-list 101 permit tcp 20.0.0.1 0.0.0.255 10.0.0.1 0.0.0.255

access-list 101 deny tcp any any

access-list 102 deny tcp 20.0.0.1 0.0.0.255 30.0.0.1 0.0.0.255

Int vlan 1

ip access-group 101 in

Int valn 3

ip access-group 102 in

Thanks,

Satish

dimitrov.d Thu, 01/29/2009 - 03:50

Thank you very much Satish,

Your settings didn't worked for me but you pointed mi in the right direction.

I used ACL and VACL (especially the second) to set custom rules for accessing the virtual ports of each VLAN.

This is a test sample that restricts traffic to VLAN 3 (30.0.0.0) from VLAN 6(60.0.0.0)

Catalyst 4503:

ip access-list extended TEST1

permit ip 30.0.0.0 0.0.0.255 60.0.0.0 0.0.0.255

exit

vlan access map TEST1

match ip address TEST1

action drop

action forward

vlan filter TEST1 vlan-list 6

Once again, thanks a lot, I'll have a drink for your health tonight :)

Actions

This Discussion