Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access-lists on VLAN Interfaces!

Hello,

I have 2 core switches interconnected with two trunks. On both switches, there are 5 virtual interfaces for 5 VLANs. HSRP runs on the switches and an ACL is activated on the SVIs in the inbound direction. When I plug a laptop to a VLAN 200 port on SW1, I can get to the Internet although the ACL should be dropping the packets. Could you please help me figure out what is going on? Below are relevant excerpts of both switch's configurations.

Thanks,

Franc

SW1

interface Vlan100

ip address 10.48.20.2 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 1 ip 10.48.20.1

standby 1 priority 200

standby 1 preempt

!

interface Vlan200

ip address 192.168.2.2 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 2 ip 192.168.2.1

standby 2 priority 200

standby 2 preempt

!

interface Vlan300

ip address 192.168.5.2 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 3 ip 192.168.5.1

standby 3 priority 200

standby 3 preempt

!

interface Vlan400

ip address 192.168.4.2 255.255.255.0

ip access-group acl_Vlan_Filter in

ip helper-address 10.48.20.36

ip helper-address 10.48.20.37

standby 4 ip 192.168.4.1

standby 4 priority 200

standby 4 preempt

!

interface Vlan500

ip address 192.168.3.2 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 5 ip 192.168.3.1

standby 5 priority 200

standby 5 preempt

!

SW2

interface Vlan100

ip address 10.48.20.3 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 1 ip 10.48.20.1

!

interface Vlan200

ip address 192.168.2.3 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 2 ip 192.168.2.1

!

interface Vlan300

ip address 192.168.5.3 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 3 ip 192.168.5.1

!

interface Vlan400

ip address 192.168.4.3 255.255.255.0

ip access-group acl_Vlan_Filter in

ip helper-address 10.48.20.36

ip helper-address 10.48.20.37

standby 4 ip 192.168.4.1

!

interface Vlan500

ip address 192.168.3.3 255.255.255.0

ip access-group acl_Vlan_Filter in

standby 5 ip 192.168.3.1

!

THE ACL IS THE SAME ON BOTH SWITCHES

!

!

ip access-list extended acl_Vlan_Filter

permit udp host 10.48.20.36 any

permit udp host 10.48.20.37 any

permit udp host 10.48.20.40 any

permit udp any any eq 1985

permit udp any any eq domain

permit udp any any eq bootps

permit udp any any eq bootpc

permit tcp any any established

permit tcp 192.168.5.0 0.0.0.255 host 10.48.20.40 eq www

permit tcp 192.168.5.0 0.0.0.255 host 10.48.20.40 eq 389

permit udp 192.168.5.0 0.0.0.255 host 10.48.20.40 eq 389

permit tcp 192.168.5.0 0.0.0.255 host 10.48.20.40 eq 390

permit udp 192.168.5.0 0.0.0.255 host 10.48.20.40 eq 390

permit tcp 192.168.3.0 0.0.0.255 host 10.48.20.40 eq www

permit tcp 192.168.3.0 0.0.0.255 host 10.48.20.40 eq 389

permit udp 192.168.3.0 0.0.0.255 host 10.48.20.40 eq 389

permit tcp 192.168.3.0 0.0.0.255 host 10.48.20.40 eq 390

permit udp 192.168.3.0 0.0.0.255 host 10.48.20.40 eq 390

permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 10.48.20.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

deny   ip 10.48.20.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 192.168.5.0 0.0.0.255 10.48.20.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255

deny   ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255

deny   ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

deny   ip 10.48.20.0 0.0.0.255 192.168.3.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 10.48.20.0 0.0.0.255

deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

deny   ip 192.168.2.0 0.0.0.255 any                                    !!! Should block all outbound packets not explicitly permited above

permit ip any any

4 REPLIES
New Member

Access-lists on VLAN Interfaces!

Along with "ip access-group acl_Vlan_Filter in"

You can try "ip access-group acl_Vlan_Filter out"

From the User, the ACL is for Out Traffic.

While going Out, it check the Src IP and denies,

While coming In, it check the Src IP and it is not 192.168.2.0 0.0.0.255 any so Allowed and you are able to Access Internet.

Regards,

ThiyaguVG.

Access-lists on VLAN Interfaces!

Your ACL looks fine to me. This should be applied in "inbound". The in direction is for traffic coming from clients on that specific vlan.

Now a thing i would like to know. What is 10.48.20.40 ? Is it a proxy server?

Vivek

New Member

Access-lists on VLAN Interfaces!

Hi all,

Thanks for your feedback!

I agree with Vivek that the direction is correct. Anyway, I had a troubleshooting session with Cisco this morning. unfortunately, we still couldn't figure out why the ACL was not matching the traffic. we edited the ACL and created additional ones to no avail... So, the Cisco engineer asked for the tech reports to investigate the issue in their lab.

Btw, 10.48.20.40 is a mail server...

Thanks,

Francois

New Member

The direction "In/Out" is in

The direction "In/Out" is in respect to the router and not interface, i.e traffic coming IN our leaving the router, in case of Virtual interface try the ACL in OUT direction and it should work.

19292
Views
0
Helpful
4
Replies
CreatePlease to create content