ACL problem - Please help.

Unanswered Question
Feb 24th, 2010

Dear Experts,

I have seen one problem.


int vlan 4

ip address

ip access group LEVEL2 in

ip access-list extended LEVEL2

permit ip host

permit ip host

permit ip host

permit ip host

permit udp any any

I have configured ACL as shown above.

Everything is working fine but two of the servers with ip address and were not communicating with each other.

When I removed ACL , they are communicating each other properly. Same tie I have also checked other two PCs with IP addresses and they are working properyl with ACL.

Can you help me why this happens?

The Problem is resolved by  adding

permit ip host host

But actually when we apply ACL on Vlan interface tan that vlan memebers are communicating each other . And are happening but only two servers are not.

What could be the reason ?

Please help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Wed, 02/24/2010 - 10:02

Hello Dipesh,

how are the two servers connected?

are they connected to two different access layer switches?

being on the same IP subnet, if they were connected to two ports of the same access layer switch they should be able to talk directly without hitting the ACL.

check if the two servers are configured correctly with the correct subnet mask and default gateway.

with sh ip interface vlan4

check if proxy ARP is enabled

the only way to go to the OSI layer3 of the switch is if one server sends the frames to the MAC address of the SVI otherwise they would be able to talk directly bypassing the ACL.

check the ARP table of the two servers look for the MAC address associated to the other server and compares it with Vlan4 MAC address as reported in sh int vlan4 and with the other server MAC address.

Hope to help


0rseaman Wed, 02/24/2010 - 10:10

I agree with Guiseppe - the 2 servers in question do not appear to be on the same subnet and are

most likely sending traffic to the default gateway instead of directly connecting

to the server on the same subnet via the MAC address.

To verify this you can add a line to the bottom of your ACL to deny IP any any log - to log the packets and see that the servers are hitting the ACL. If they were on the same subnet they would not hit the ACL.



This Discussion