×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Inter-VLAN filtering problems

Answered Question
Apr 20th, 2012
User Badges:

Probably an easy fix but something's weird in my config.


I am setting up a new network, so this is not production yet. Here's the general idea.


Routed environment, down to the access layer using 3560-x l3 switches.


vlan 10: data

vlan 20: wifi

vlan 30: wifi guests

vlan 40: voip


My objective is to allow all traffic OUTBOUND to certain subnets (10.10.0.0/24, 10.10.100.0/24, 10.10.110.0/24 10.10.120.0/24) and block any other 10.0.0.0/8 networks. By doing it this way, after blocking all other internal traffic, I allow everything else to ensure internet traffic can go out.

Extended IP access list VLAN10_TRAFFIC_FLOW
    10 permit ip any 10.10.0.0 0.0.0.255
    20 permit ip any 10.10.100.0 0.0.0.255
    30 permit ip any 10.10.110.0 0.0.0.255
    40 permit ip any 10.10.120.0 0.0.0.255
    50 deny ip any 10.0.0.0 0.255.255.255 (5 matches)
    60 deny ip any 172.16.0.0 0.0.255.255
    70 permit ip any any
!
interface Vlan10
description DATA
ip address 10.104.10.1 255.255.255.0
ip access-group VLAN10_TRAFFIC_FLOW out
end


The problem is, from the above info, when I ping 10.10.0.5 from a workstation in VLAN 10, it should match rule 10, but instead if matches rule 50 (as shown by the 5 matches)


Makes no sense to me as the logic, addressing and wildcard masks seem ok. What am I doing wrong?


Thanks!


Marc

Correct Answer by Edison Ortiz about 5 years 4 months ago

The flow direction on a Vlan is as followed:


If you have an ACL in the 'in' direction it will match 10.104.10.x/24 as the source

If you have an ACL in the 'out' direction it will match 10.104.10.x/24 as the destination


In your case, you are matching on the return traffic 10.0.0.0/8, thus your are seeing the expected result.


Regards,


Edison

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Edison Ortiz Fri, 04/20/2012 - 07:32
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The flow direction on a Vlan is as followed:


If you have an ACL in the 'in' direction it will match 10.104.10.x/24 as the source

If you have an ACL in the 'out' direction it will match 10.104.10.x/24 as the destination


In your case, you are matching on the return traffic 10.0.0.0/8, thus your are seeing the expected result.


Regards,


Edison

Marc Bouchard Fri, 04/20/2012 - 07:43
User Badges:

I am actually working on this right now and while I understand my logic might be reversed, either way it doesn't match the traffic!


I reduced my ACL to 2 lines for testing and applied the ACL inbound and outbound to see if it was matching one way or the other. It matches neither...


If I ping 10.10.0.5, I should match the return traffic from this address and I get no match.


Extended IP access list VLAN10_TRAFFIC_FLOW
    10 permit ip any 10.10.0.0 0.0.0.255
    20 permit ip any any (1809 matches)

!
interface Vlan10
description DATA
ip address 10.104.10.1 255.255.255.0

ip access-group VLAN10_TRAFFIC_FLOW in

ip access-group VLAN10_TRAFFIC_FLOW out
end

Edison Ortiz Fri, 04/20/2012 - 07:51
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The matches above are software counters and traffic leaving the switch are hardware switched.

The matches are on the return traffic. Can you change

permit ip any 10.10.0.0 0.0.0.255

with

deny ip any 10.10.0.0 0.0.0.255


I'm sure the ping will fail.

Marc Bouchard Fri, 04/20/2012 - 07:57
User Badges:

Nope. It still matches the permit any any.


And the traffic is routed out the switch through a routed port uplinked to the core switches.

Edison Ortiz Fri, 04/20/2012 - 08:00
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Where are you pinging from?


You must ping from a workstation in Vlan 10

Edison Ortiz Fri, 04/20/2012 - 08:03
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Can you post the new ACL?


Can you post the entire config?

Marc Bouchard Fri, 04/20/2012 - 08:44
User Badges:

! Identification

hostname NETMTLALS04

!

! Host Name Resolution (Using Domain Controllers as DNS sources)

ip name-server 10.10.110.50

ip name-server 10.20.110.50

!

! Spanning-tree configuration as a fail-safe

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast default

spanning-tree portfast bpduguard default

udld aggressive

!

! VTP in Transparent Mode (Unused)

vtp mode transparent

!

! Security

no ip http server

no ip http secure-server

no service config

service tcp-keepalives-in

service tcp-keepalives-out

service password-encryption

crypto key generate rsa general-keys modulus 2048

!

ip ssh time-out 60

ip ssh authentication-retries 3

ip ssh version 2

!

! Prevent SSH connections to point to point addresses

ip access-list extended SSH_Restrictions

deny tcp any 172.16.0.0 0.0.255.255 eq 22

permit ip any any

!

! DHCP security

ip dhcp snooping

ip dhcp snooping vlan 10

ip dhcp snooping vlan 20

ip dhcp snooping vlan 30

ip dhcp snooping vlan 40

!

! Local console configuration

line con 0

logging synchronous

exec-timeout 30 0

login authentication default

!

! Serial lines configuration

line vty 0 15

transport input ssh

transport output ssh

logging synchronous

exec-timeout 10 0

login authentication default

!

!========================================================================

!

! Resource management

memory reserve critical 4096

memory free low-watermark processor 20000

exception memory ignore overflow io

exception memory ignore overflow processor

!

!========================================================================

!

! Enable routing features

ip routing

!

! EIGRP Routing Protocol Configuration

router eigrp 751

eigrp log-neighbor-changes

eigrp stub

eigrp router-id 10.104.0.1

network 10.0.0.0

network 172.16.0.0

no auto-summary

passive-interface default

no passive-interface TenGigabitEthernet1/1

no passive-interface TenGigabitEthernet1/2

!

!========================================================================

!

interface range gigabitethernet 0/1 - 48

switchport

switchport access vlan 10

switchport voice vlan 40

switchport mode access

power inline never

switchport port-security maximum 2

switchport port-security mac-address sticky

switchport port-security violation shutdown

switchport port-security

ip access-group SSH_Restrictions in

!

interface tengigabitethernet 1/1

no switchport

ip authentication mode eigrp 751 md5

ip authentication key-chain eigrp 751 EIGRPKEYS

ip hello-interval eigrp 751 3

ip hold-time eigrp 751 10

load-interval 30

carrier-delay msec 0

ip summary-address eigrp 751 10.104.0.0 255.255.0.0

ip address 172.16.10.113 255.255.255.254

ip access-group SSH_Restrictions in

!

interface tengigabitethernet 1/2

no switchport

ip authentication mode eigrp 751 md5

ip authentication key-chain eigrp 751 EIGRPKEYS

ip hello-interval eigrp 751 3

ip hold-time eigrp 751 10

load-interval 30

carrier-delay msec 0

ip summary-address eigrp 751 10.104.0.0 255.255.0.0

ip address 172.16.10.213 255.255.255.254

ip access-group SSH_Restrictions in

!

interface loopback0

ip address 10.104.0.1 255.255.255.255

!

interface Vlan10

description DATA

ip address 10.104.10.1 255.255.255.0

ip access-group VLAN10_TRAFFIC_FLOW out

!

interface Vlan20

description WIFI Corp

ip address 10.104.20.1 255.255.255.0

ip access-group VLAN20_TRAFFIC_FLOW out

!

interface Vlan30

description WIFI Guests

ip address 10.104.30.1 255.255.255.0

ip access-group VLAN30_TRAFFIC_FLOW out

!

interface Vlan40

description VOIP

ip address 10.104.40.1 255.255.255.0

ip access-group VLAN40_TRAFFIC_FLOW out

!

!========================================================================

!

vlan 1

shutdown

vlan 10

name DATA

vlan 20

name WIFI

vlan 30

name WIFI_Guests

vlan 40

name VOIP

vlan 1000

name BLACKHOLE

!

!========================================================================

!

ip access-list extended VLAN10_TRAFFIC_FLOW

permit ip any 10.0.100.0 0.255.0.255

permit ip any 10.0.110.0 0.255.0.255

permit ip any 10.0.120.0 0.255.0.255

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.0.255.255

permit ip any any

ip access-list extended VLAN20_TRAFFIC_FLOW

permit ip any 10.0.100.0 0.255.0.255

permit ip any 10.0.110.0 0.255.0.255

permit ip any 10.0.120.0 0.255.0.255

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.0.255.255

permit ip any any

ip access-list extended VLAN30_TRAFFIC_FLOW

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.0.255.255

permit ip any any

ip access-list extended VLAN40_TRAFFIC_FLOW

permit ip any 10.0.40.0 0.255.0.255

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.0.255.255

permit ip any any

Edison Ortiz Fri, 04/20/2012 - 09:32
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Let's start with Vlan 10,


Can you apply this configuration?


interface Vlan10

description DATA

ip address 10.104.10.1 255.255.255.0

ip access-group VLAN10_TRAFFIC_FLOW in



ip access-list extended VLAN10_TRAFFIC_FLOW

permit ip any 10.10.0.0 0.0.0.255

permit ip any 10.10.100.0 0.0.0.255

permit ip any 10.10.110.0 0.0.0.255

permit ip any 10.10.120.0 0.0.0.255

deny   ip any 10.0.0.0 0.255.255.255

permit ip any any

Marc Bouchard Fri, 04/20/2012 - 09:47
User Badges:

I tried that already. I actually had both IN and OUT enabled and the show access-list didn't match either way. The only time I got a match was doing a traceroute, but pings don't match, nor do HTTP requests, etc...


The permits have a strange wildcard mask in the original config so i changed all the permits to "normal" masks for testing purpose as you can see in my initial post, to rule that out.


And actually, if I do the ip access-group IN like you suggest, I lose connectivity completely. All traffic coming in from the inside network on 10.104.10.x gets denied by the last line.

Edison Ortiz Fri, 04/20/2012 - 10:46
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

If you apply the access-list as I suggested, you shouldn't lose all connectivity. Only to 10/8 networks except the ones permitted.

The permit ip any any should cover the rest.


I just tested the concept in the lab and it works. Not sure about your setup.

Marc Bouchard Fri, 04/20/2012 - 11:01
User Badges:

Well, since my workstation is in VLAN10 (10.104.10.x), and to SSH to the switch I need access to the 10.104.0.1 (The loopback 0 is the interface used for management), I lose the connection to the switch.


That's what I meant by lose connectivity.


I added an ACL to allow that address...


If I traceroute to external routes, everything works, i see the counter go up in the access list matches. but pings are no show. probably a bad tool to test against ACLs.


So in the end, it seems as if the issue was mostly with the IN vs OUT on my command. I'll update a few switches and post an update here. thanks for your help Much appreciated.

Actions

This Discussion

Related Content