Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
2
Replies

ACL problem - Please help.

Dipesh Patel
Level 2
Level 2

‎02-24-2010 09:06 AM - edited ‎03-06-2019 09:52 AM

Dear Experts,

I have seen one problem.

Config.

int vlan 4

ip address 10.10.10.1 255.255.255.0

ip access group LEVEL2 in

ip access-list extended LEVEL2

permit ip 10.10.10.0 0.0.0.255 host 172.20.0.18

permit ip 10.10.10.0 0.0.0.255 host 172.20.0.31

permit ip 10.10.10.0 0.0.0.255 host 172.20.0.49

permit ip 10.10.10.0 0.0.0.255 host 172.20.0.84

permit udp any any

I have configured ACL as shown above.

Everything is working fine but two of the servers with ip address 10.10.10.240 and 10.10.10.189 were not communicating with each other.

When I removed ACL , they are communicating each other properly. Same tie I have also checked other two PCs with IP addresses 10.10.10.125 and 10.10.10.130 they are working properyl with ACL.

Can you help me why this happens?

The Problem is resolved by  adding

permit ip host 10.10.10.240 host 10.10.10.189

But actually when we apply ACL on Vlan interface tan that vlan memebers are communicating each other . And are happening but only two servers are not.

What could be the reason ?

Please help.

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-24-2010 10:02 AM

Hello Dipesh,

how are the two servers connected?

are they connected to two different access layer switches?

being on the same IP subnet, if they were connected to two ports of the same access layer switch they should be able to talk directly without hitting the ACL.

check if the two servers are configured correctly with the correct subnet mask and default gateway.

with sh ip interface vlan4

check if proxy ARP is enabled

the only way to go to the OSI layer3 of the switch is if one server sends the frames to the MAC address of the SVI otherwise they would be able to talk directly bypassing the ACL.

check the ARP table of the two servers look for the MAC address associated to the other server and compares it with Vlan4 MAC address as reported in sh int vlan4 and with the other server MAC address.

Hope to help

Giuseppe

0 Helpful

0rseaman
Level 1
Level 1

‎02-24-2010 10:10 AM

I agree with Guiseppe - the 2 servers in question do not appear to be on the same subnet and are

most likely sending traffic to the default gateway instead of directly connecting

to the server on the same subnet via the MAC address.

To verify this you can add a line to the bottom of your ACL to deny IP any any log - to log the packets and see that the servers are hitting the ACL. If they were on the same subnet they would not hit the ACL.

Rod

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card