Why is my acl on the vlan blocking intra-vlan traffic?

Unanswered Question
Jul 29th, 2009
User Badges:

Hi


I'm confused can someone please explain why my acl on my vlan interface is blocking intra vlan traffic?


Config:



3750 config:


interface Vlan20

ip address 10.44.20.252 255.255.255.0

ip access-group Bg-In in

ip access-group Bg-Out out

no ip redirects

no ip unreachables

standby 20 ip 10.44.20.254

standby 20 timers 1 2

standby 20 priority 102

standby 20 preempt

end


ACL:

ip access-list extended Bg-In

permit udp any host 224.0.0.2 eq 1985

permit ip 10.44.20.0 0.0.0.255 10.0.0.0 0.255.255.255

deny ip any any log

exit


Some of the log messages I get are:


Jul 29 03:47:31 CST: %SEC-6-IPACCESSLOGP: list Bg-In denied tcp 205.183.246.44(8292) -> 10.44.20.198(8277), 1 packet

Jul 29 03:47:33 CST: %SEC-6-IPACCESSLOGRP: list Bg-In denied igmp 10.44.20.99 -> 239.255.255.250, 1 packet


The ip's only live within vlan 20 i.e sourced from equipment in vlan 20 i.e the multicast address 239.255.255.250 and the address 205.183.246.44.


Thanks

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
prakadeesh Wed, 07/29/2009 - 01:45
User Badges:

Hello Dan,


IMHO,The ACL allows only traffic from

*any host to multicast on 224.0.0.2 using port 1985.


* from IP 10.44.20.0/24 to 10.0.0.0/8


* deny any other protocol/IP


logs show that the IP address involved are 239.255.255.250 and the address 205.183.246.44, which are not on the ACL permits so they would be denied. They are Layer3 Multicast addresses. Please correct me if I misunderstood.


dan_track Wed, 07/29/2009 - 01:50
User Badges:

Hi


Thanks for your reply. My question is more basic why is the acl on the vlan even getting invloved? If it is intra-vlan traffic surely there is no need for the acl to be called don't pc's talk directly with each other and won't multiast traffic be sent to all ports?


Thanks

Dan

Jon Marshall Wed, 07/29/2009 - 01:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dan


The only PC's that will talk directly with each other will be PC's within the same IP subnet - in this case 10.44.20.0/24.


205.183.246.44 is not in that subnet so it can't talk directly to any of the 10.44.20.x pc's. Just allocating it into the same vlan does not mean it will talk directly - it is the IP address that determines this.


As for the multicast, well again the address is not part of the 10.44.20.0/24 subnet range.


I think the confusion is coming because of the difference between a L2 vlan and how IP addressing/subnet masks determine whether a host is on the same subnet or not.


Jon

dan_track Wed, 07/29/2009 - 02:05
User Badges:

Ahhhh, great, thanks for clearing that up. It kind of makes sense now I was confused with the L2 vlan and addressing.


Can I ask if I plug in a pc with a different address to 10.44.20.x i.e 172.16.54.2 and all it talks to is a host with ip 10.44.20.50 on the same vlan it will still send packets to the vlan interface and not directly to the pc (10.44.20.50)?


Is that right?


Thanks

Dan

Jon Marshall Wed, 07/29/2009 - 02:12
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dan


Not necessarily. It depends on what default-gateway (if any) you have set on the pc with the address of 172.16.54.2.


Jon

dan_track Wed, 07/29/2009 - 06:10
User Badges:

So if it did not have a default gateway it would communicate directly with pc on the same vlan and not be affected by the acl on the vlan interface, is that right?


If it did have a default gateway then it would traverse the vlan interface and so be subject to the rules in the acl on the vlan interface, is that right?


Thanks

Dan



iyde Thu, 07/30/2009 - 12:45
User Badges:
  • Silver, 250 points or more

Dan,


A PC with 10.44.20.x/24 address and no default gateway wil *only* be able to talk to other equipment in the 10.44.20.0/24 network.

The combination of IP address and subnet mask tells it what's on it's "local" IP net (and to that you talk directly) or what is not on the "local" subnet. All communication off from your "local" subnet requires a DG on your PC and a matching layer3 interface - interface vlan 20 in your example.


So, again, even if two pieces of equipment are connected to switchports which are in the same VLAN does not make them talk together if the IP parameters are misconfigured.


HTH

Actions

This Discussion