07-29-2009 12:52 AM - edited 03-06-2019 06:59 AM
Hi
I'm confused can someone please explain why my acl on my vlan interface is blocking intra vlan traffic?
Config:
3750 config:
interface Vlan20
ip address 10.44.20.252 255.255.255.0
ip access-group Bg-In in
ip access-group Bg-Out out
no ip redirects
no ip unreachables
standby 20 ip 10.44.20.254
standby 20 timers 1 2
standby 20 priority 102
standby 20 preempt
end
ACL:
ip access-list extended Bg-In
permit udp any host 224.0.0.2 eq 1985
permit ip 10.44.20.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip any any log
exit
Some of the log messages I get are:
Jul 29 03:47:31 CST: %SEC-6-IPACCESSLOGP: list Bg-In denied tcp 205.183.246.44(8292) -> 10.44.20.198(8277), 1 packet
Jul 29 03:47:33 CST: %SEC-6-IPACCESSLOGRP: list Bg-In denied igmp 10.44.20.99 -> 239.255.255.250, 1 packet
The ip's only live within vlan 20 i.e sourced from equipment in vlan 20 i.e the multicast address 239.255.255.250 and the address 205.183.246.44.
Thanks
Dan
07-29-2009 01:45 AM
Hello Dan,
IMHO,The ACL allows only traffic from
*any host to multicast on 224.0.0.2 using port 1985.
* from IP 10.44.20.0/24 to 10.0.0.0/8
* deny any other protocol/IP
logs show that the IP address involved are 239.255.255.250 and the address 205.183.246.44, which are not on the ACL permits so they would be denied. They are Layer3 Multicast addresses. Please correct me if I misunderstood.
07-29-2009 01:50 AM
Hi
Thanks for your reply. My question is more basic why is the acl on the vlan even getting invloved? If it is intra-vlan traffic surely there is no need for the acl to be called don't pc's talk directly with each other and won't multiast traffic be sent to all ports?
Thanks
Dan
07-29-2009 01:58 AM
Dan
The only PC's that will talk directly with each other will be PC's within the same IP subnet - in this case 10.44.20.0/24.
205.183.246.44 is not in that subnet so it can't talk directly to any of the 10.44.20.x pc's. Just allocating it into the same vlan does not mean it will talk directly - it is the IP address that determines this.
As for the multicast, well again the address is not part of the 10.44.20.0/24 subnet range.
I think the confusion is coming because of the difference between a L2 vlan and how IP addressing/subnet masks determine whether a host is on the same subnet or not.
Jon
07-29-2009 02:05 AM
Ahhhh, great, thanks for clearing that up. It kind of makes sense now I was confused with the L2 vlan and addressing.
Can I ask if I plug in a pc with a different address to 10.44.20.x i.e 172.16.54.2 and all it talks to is a host with ip 10.44.20.50 on the same vlan it will still send packets to the vlan interface and not directly to the pc (10.44.20.50)?
Is that right?
Thanks
Dan
07-29-2009 02:12 AM
Dan
Not necessarily. It depends on what default-gateway (if any) you have set on the pc with the address of 172.16.54.2.
Jon
07-29-2009 06:10 AM
So if it did not have a default gateway it would communicate directly with pc on the same vlan and not be affected by the acl on the vlan interface, is that right?
If it did have a default gateway then it would traverse the vlan interface and so be subject to the rules in the acl on the vlan interface, is that right?
Thanks
Dan
07-30-2009 12:45 PM
Dan,
A PC with 10.44.20.x/24 address and no default gateway wil *only* be able to talk to other equipment in the 10.44.20.0/24 network.
The combination of IP address and subnet mask tells it what's on it's "local" IP net (and to that you talk directly) or what is not on the "local" subnet. All communication off from your "local" subnet requires a DG on your PC and a matching layer3 interface - interface vlan 20 in your example.
So, again, even if two pieces of equipment are connected to switchports which are in the same VLAN does not make them talk together if the IP parameters are misconfigured.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide