cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5709
Views
86
Helpful
42
Replies

ACL's on VLAN not isolating traffic

lovembsc89
Level 1
Level 1

I am trying to isolate network 192.168.100.x 255.255.255.0 from the rest of our network.  I have connected the two switches via a cable between port 24 on each, and placed those ports on VLAN700.  When we connect to the isolated network, we still have access to the other networks.  No matter what I do, VLAN700 still says "shutdown" too.  I have posted the config of both switches.  Any suggestions?  Thanks in advance for the assistance.

Configuration of Catalyst 4507:


vtp domain *****
vtp mode transparent
ip subnet-zero
!

no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
power redundancy-mode redundant
!

redundancy
mode sso
!
!
!
vlan internal allocation policy asce
!
vlan 10
!
vlan 100
!
vlan 200
!
vlan 300
!
vlan 400
!
vlan 500
!
vlan 600
!
vlan 700
name wireless
shutdown
!
vlan 800
shutdown
!
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/2
!
interface GigabitEthernet2/1
switchport trunk encapsulation dot1q
!
interface GigabitEthernet2/2
!
interface GigabitEthernet3/1

switchport access vlan 100
!
interface GigabitEthernet3/2
switchport access vlan 100
!
interface GigabitEthernet3/3
switchport access vlan 100
!
interface GigabitEthernet3/4
switchport access vlan 100
!
interface GigabitEthernet3/5
switchport access vlan 100
!
interface GigabitEthernet3/6
switchport access vlan 100
!
interface GigabitEthernet4/1
switchport access vlan 100
!
interface GigabitEthernet4/2
switchport access vlan 100
!
interface GigabitEthernet4/3
switchport access vlan 100
!
interface GigabitEthernet4/4
switchport access vlan 100
!
interface GigabitEthernet4/5
switchport access vlan 100
!
interface GigabitEthernet4/6
switchport access vlan 100
!
interface GigabitEthernet5/1
switchport access vlan 100
!
interface GigabitEthernet5/2
switchport access vlan 100
!
interface GigabitEthernet5/3
switchport access vlan 100
!
interface GigabitEthernet5/4
switchport access vlan 100
!
interface GigabitEthernet5/5
switchport access vlan 100
!
interface GigabitEthernet5/6
switchport access vlan 100
!
interface GigabitEthernet6/1
!
interface GigabitEthernet6/2
!
interface GigabitEthernet6/3
!
interface GigabitEthernet6/4
!
interface GigabitEthernet6/5
!
interface GigabitEthernet6/6
!
interface GigabitEthernet7/1

switchport access vlan 500
switchport mode access
!
interface GigabitEthernet7/2
switchport access vlan 600
switchport mode access
!
interface GigabitEthernet7/3
switchport access vlan 400
switchport mode access
!
interface GigabitEthernet7/4
switchport access vlan 200
switchport mode access
!
interface GigabitEthernet7/5
switchport access vlan 300
switchport mode access
!
interface GigabitEthernet7/6
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/7
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/8
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/9
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/10
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/11
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/12
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/13
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/14
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/15
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/16
switchport access vlan 100

switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/17
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/18
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/19
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/20
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/21
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/22
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/23
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/24
switchport access vlan 700
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet7/25
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/26
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/27
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/28
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/29
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/30
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/31
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/32
switchport access vlan 100
switchport mode access

!

interface GigabitEthernet7/33
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/34
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/35
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/36
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/37
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/38
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/39
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/40
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/41
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/42
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/43
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/44
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/45
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/46
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/47
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/48
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
!

!
interface Vlan100
  ip address 172.16.0.1 255.255.0.0
ip access-group 101 in
!
interface Vlan200
  ip address 192.168.20.1 255.255.255.0
!
interface Vlan300
  ip address 192.168.30.1 255.255.255.0
!
interface Vlan400
  ip address 192.168.40.1 255.255.255.0
!
interface Vlan500
  ip address 192.168.50.1 255.255.255.0
!
interface Vlan600
  ip address 192.168.60.1 255.255.255.0
!
interface Vlan700
  ip address 192.168.100.24 255.255.255.0
ip access-group 102 in
!
interface Vlan800
ip address 192.168.80.1 255.255.255.0
!
router eigrp 100
redistribute static
network 172.16.0.0
network 192.168.10.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 172.16.0.25
ip route 10.8.2.0 255.255.255.0 172.16.0.111
ip route 10.8.151.0 255.255.255.0 172.16.0.111
ip route 10.9.1.0 255.255.255.0 172.16.0.111
ip route 10.9.2.0 255.255.255.0 172.16.0.111
ip route 10.10.9.0 255.255.255.0 172.16.0.111
ip route 10.10.10.0 255.255.255.0 172.16.0.111
ip route 10.10.120.0 255.255.252.0 172.16.0.111
ip route 10.255.200.0 255.255.255.0 172.16.200.30
ip route 100.15.0.0 255.255.0.0 172.16.0.240
ip route 192.168.15.0 255.255.255.0 172.16.0.12
ip route 192.168.66.0 255.255.255.0 172.16.0.12
ip route 192.168.250.0 255.255.255.0 172.16.0.12
no ip http server
!
!
!
access-list 102 deny   ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any

Configuration of Catalyst 3500XL

!
ip subnet-zero
no ip domain-lookup
!
!
!
interface FastEthernet0/1
spanning-tree portfast
!
interface FastEthernet0/2
spanning-tree portfast
!
interface FastEthernet0/3
spanning-tree portfast
!
interface FastEthernet0/4
spanning-tree portfast
!
interface FastEthernet0/5
spanning-tree portfast
!
interface FastEthernet0/6
spanning-tree portfast
!
interface FastEthernet0/7
spanning-tree portfast
!
interface FastEthernet0/8
spanning-tree portfast
!
interface FastEthernet0/9
spanning-tree portfast
!
interface FastEthernet0/10
spanning-tree portfast
!
interface FastEthernet0/11
spanning-tree portfast
!
interface FastEthernet0/12
spanning-tree portfast
!
interface FastEthernet0/13
spanning-tree portfast
!
interface FastEthernet0/14
spanning-tree portfast
!
interface FastEthernet0/15
spanning-tree portfast

!
interface FastEthernet0/16
spanning-tree portfast
!
interface FastEthernet0/17
spanning-tree portfast
!
interface FastEthernet0/18
spanning-tree portfast
!
interface FastEthernet0/19
spanning-tree portfast
!
interface FastEthernet0/20
spanning-tree portfast
!
interface FastEthernet0/21
spanning-tree portfast
!
interface FastEthernet0/22
spanning-tree portfast
!
interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
switchport access vlan 700
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/1
mtu 1600
duplex full
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface VLAN1
ip address 172.16.0.15 255.255.0.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN200
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN700
ip access-group 102 out
no ip directed-broadcast
no ip route-cache
shutdown
!
ip default-gateway 172.16.0.1
snmp-server engineID local 0000000902000004C12B05C0
snmp-server community private RW
snmp-server community public RO

1 Accepted Solution

Accepted Solutions

Terri

Apparently this wireless router is not capable of routing between subnets. 

Then it's not a wireless router then is it ? 

I think you need to revisit the choice of wireless device because it seems so basic as to be almost unuseable for anything other than home use.

Jon

View solution in original post

42 Replies 42

Jon Marshall
Hall of Fame
Hall of Fame

Terri

3500xl switch is L2 only so you can only have 1 L3 vlan interface up at any time and it looks like you are using vlan 1 on the 3500xl. So remove the vlan 700 L3 interface on the 3500xl.

As for isolating traffic, you have an acl applied to L3 vlan interface for vlan 700 on the 4500 switch. So what is not being isolated ie. is it that you can still connect to 172.16.0.x addresses from the 192.168.100.x vlan ?

Also you should update your trunk configs ie.

interface FastEthernet0/24
switchport access vlan 700
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast

remove "switchport access vlan 700" - because it is a trunk

remove "spanning-tree portfast" -  you should never run portfast on a trunk link between 2 switches.

Jon

As for isolating traffic, you have an acl applied to L3 vlan interface for vlan 700 on the 4500 switch. So what is not being isolated ie. is it that you can still connect to 172.16.0.x addresses from the 192.168.100.x vlan ?

Yes.  That's the issue.  We still need for them to be able to get to the internet though, and the firewall has a 172.16.0.x address. 

Thanks for the assistance with the trunk config.  I will fix that pronto!

So just to clarify, you have this acl applied to vlan 700 L3 SVI on your 4500 switch -

access-list 102 deny   ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any

and you can still access any 172.16.0.x address from 192.168.100.x devices ?

What does a "sh access-list 102" look like ?

Jon

Yes, we can still access it.  If we connect to the 192.168.100.x network, and

use the Windows Run line to request a server on the 172.16.0.x network, although it prompts for a password, we can see it.

Here's the sh access-list 102 result:

sh access-list 102
Extended IP access list 102
    10 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
    20 permit ip 192.168.100.0 0.0.0.255 any

Can you post a "sh vlan brief" from the 4500 switch ?

Jon

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/1, Gi1/2, Gi2/1, Gi2/2
                                                Gi6/1, Gi6/2, Gi6/3, Gi6/4
                                                Gi6/5, Gi6/6, Gi7/48
10                                     active
100                                    active    Gi3/1, Gi3/2, Gi3/3, Gi3/4
                                                Gi3/5, Gi3/6, Gi4/1, Gi4/2
                                                Gi4/3, Gi4/4, Gi4/5, Gi4/6
                                                Gi5/1, Gi5/2, Gi5/3, Gi5/4
                                                Gi5/5, Gi5/6, Gi7/6, Gi7/7
                                                Gi7/8, Gi7/9, Gi7/10, Gi7/11
                                                Gi7/12, Gi7/13, Gi7/14, Gi7/15
                                                Gi7/16, Gi7/17, Gi7/18, Gi7/19
                                                Gi7/20, Gi7/21, Gi7/22, Gi7/23
                                                Gi7/25, Gi7/26, Gi7/27, Gi7/28
                                                Gi7/29, Gi7/30, Gi7/31, Gi7/32
                                                Gi7/33, Gi7/34, Gi7/35, Gi7/36
                                                Gi7/37, Gi7/38, Gi7/39, Gi7/40
                                                Gi7/41, Gi7/42, Gi7/43, Gi7/44
                                                Gi7/45, Gi7/46, Gi7/47
200                                   active    Gi7/4
300                                   active    Gi7/5

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
400                                   active    Gi7/3
500                                   active    Gi7/1
600                                   active    Gi7/2
700                                   act/lshut
800                                   act/lshut
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Sorry for all the question but it looks like vlan 700 isn't even up at L2 on the 4500. Can you post "sh int trunk" from the 4500.

Jon

Port        Mode         Encapsulation  Status        Native vlan
Gi7/24      on           802.1q         trunking      1

Port      Vlans allowed on trunk
Gi7/24      1-4094

Port        Vlans allowed and active in management domain
Gi7/24      1,10,100,200,300,400,500,600

Port        Vlans in spanning tree forwarding state and not pruned
Gi7/24      1,10,100,200,300,400,500,600

Do I need to set up vlan 700 in the sup module?  Could that be the problem?

Terri

vlan 700 is not even active on the trunk link. As Rick says you must have something else going on in your network because if you can connect from a device on the 192.168.100.x network to a device on the 172.16.0.x network it isn't via the 4500 switch.

Jon

Terri

The first issue that I see is that VLAN 700 is shut down.

The second issue that I see is that there are no ports assigned to VLAN 700. With no ports in VLAN 700 there is no traffic for the access list to control.

Perhaps you could help me understand a bit better the topology of your network. Are these two switches the entire network or are there other switches or routers in the network that we do not see? Also where (what ports and what VLANs is the 192.168.100.0 network and what ports and what VLANs is the 172.16.0.0 network)?

HTH

Rick

HTH

Rick

I think it's because the wireless router is jacked into the wall and into another port on the 3500XL.

The other ports on that switch are on the 172.16.0.x network.   The network is available before it even leaves the 3500XL.

Our network is made up of 6 sites connected by 100 MB fiber connections.  The 4507 is the backbone of our network.  All other sites are vlans on the 4507.  We have a star topology.  All networks can see each other.

Does that help at all?

I started this in this thread:

https://supportforums.cisco.com/message/3064233#3064233

Terri

Since all the ports on the 3500 switch are in the default VLAN (VLAN 1) this means that the traffic from the wireless router (which I assume is the 192.168.100.0 network) is intermixed with the 172.16.0.0 traffic. In that case it will be impossible to separate the 192.168.100.0 traffic.

What I would suggest is that you find where the wireless router is connected to the 3500 switch, put that switch port into a separate VLAN (perhaps VLAN 700). If the 192.168.100.0 traffic is in a separate VLAN they it can be possible to separate it.

HTH

Rick

HTH

Rick

OK.  I did figure out that I somehow missed adding that port to vlan 700 (big oops!  mea culpa)  Back to my other question then, do I need to add vlan 700 to the sup module of the 4500 in order to make it active there too?

lovembsc89 wrote:

OK.  I did figure out that I somehow missed adding that port to vlan 700 (big oops!  mea culpa)  Back to my other question then, do I need to add vlan 700 to the sup module of the 4500 in order to make it active there too?

No, vlan 700 is already on the 4500 but because there are no ports active in vlan 700 it isn't up. Once you allocated a port in vlan 700 on the 3500xl then vlan 700 should become active on the trunk link and that will bring up vlan 700 on the 4500.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco