Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
904
Views
0
Helpful
5
Replies

ACL "bypassed"

oguarisco
Level 3
Level 3

‎09-09-2009 12:35 AM - edited ‎03-06-2019 07:38 AM

I'm experiencing the following really strange problem: it seems that IP packets are not dropped by the ACL but are forwarded.

On a 3750 I've an interface VLAN where there are configured 3x IP subnets (one primary and two secondary), ip proxy-arp and route-cache same-interface are enabled since are needed.

On the same interface I've also an ACL configured in input....but after doing some tests the IP packets are forwarding indipendently if are destinated to same interface (to other Subnets) or to the rest of the network...

IP primary net 1.1.1.0/24

IP Secondary net 10.1.40.0/22

IP Secondary net 10.2.40.0/22

the ACL is the following

...

20 deny ip 1.1.1.0 0.0.0.255 10.2.40.0 0.0.3.255

30 deny ip 10.1.40.0 0.0.3.255 10.2.40.0 0.0.3.255

40 deny ip 1.1.1.0 0.0.0.255 10.2.0.0 0.0.255.255

50 deny ip 1.1.1.0 0.0.0.255 10.20.0.0 0.0.255.255

60 deny ip 10.1.40.0 0.0.3.255 10.2.0.0 0.0.255.255

70 deny ip 10.1.40.0 0.0.3.255 10.20.0.0 0.0.255.255

80 permit ip 10.2.40.0 0.0.3.255 10.2.0.0 0.0.255.255

90 permit ip 10.2.40.0 0.0.3.255 10.20.0.0 0.0.255.255

100 permit ip 10.2.40.0 0.0.3.255 172.16.0.0 0.0.0.255

110 permit ip 10.2.40.0 0.0.3.255 172.31.255.0 0.0.0.255

120 deny ip 10.2.40.0 0.0.3.255 any

130 permit ip 1.1.1.0 0.0.0.255 any

140 permit ip 10.1.40.0 0.0.3.255 any

150 deny ip any any

IP packets sent from 1.1.1.11 to a local host 10.2.40.10 (secondary subent on the interface) are not blocked by the ACL since the host is responding me...the same behaviour is happening with packet sent from 1.1.1.11 to remote host 10.2.60.10

BTW the tests done were not simple ping since this are permitted in the ACL (no deny icmp are configured)

Has anyone experienced a problem similiar to this?

Any suggestions are appreciated

Labels:
0 Helpful
5 Replies 5

Edison Ortiz
Hall of Fame
Hall of Fame

‎09-09-2009 05:56 AM

You have the wrong direction on the ACL. It should be 'out' instead of 'in'.

In the egress direction, the source is your subnets listed below and the destination is the remote networks.

In the ingress direction, the source is the remote networks and the destination is your subnets.

HTH,

__

Edison.

0 Helpful

oguarisco
Level 3
Level 3
In response to Edison Ortiz

‎09-09-2009 12:35 PM

Hi Edison,

thnx for your answer but I need the ACL in Ingress since the primary and all the secondary IP subnets are checked on ingress on the VLAN to be sure that only the IP subnets defined in the ACL are permitted through the switch (antispoofing check)

If the traffic is from the primary IP subnet destined to a secondary IP subnet on a remote switch connected via an IP Backbone to this switch the ACL should be placed as ingress on the VLAN so that this traffic is dropped near the source IPs...isn't it?

If I understand right to block IP traffic originating from primary IP subnet and destinated to a secondary IP subnet on the same VLAN I should apply an ACL in egress???

But the traffic from two hosts on different IP subnet on the same VLAN is passing to the switch and process/fast switch, so the switch should not be able to block this request since proxy-arp is enabled and the traffic on different IP subnets on the same VLAN pass via the SVI interface of the switch....isn'it?

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to oguarisco

‎09-09-2009 12:52 PM

If you need it on ingress, then

deny ip 1.1.1.0 0.0.0.255 10.2.40.0 0.0.3.255

would be

deny ip 10.2.40.0 0.0.3.255 1.1.1.0 0.0.0.255

1.1.1.0/24 is already on that Vlan, so your option is to either block outbound - your first ACL will work -or- block inbound as you want but you need to flip the src|dst pair.

__

Edison.

0 Helpful

oguarisco
Level 3
Level 3
In response to Edison Ortiz

‎09-09-2009 11:33 PM

Hi Edison,

Now I've got it about the problem regarding the traffic originating from VLAN's the primary IP subnet destinated to the secondary IP subnet on the same VLAN...that's fine Thanks!!!!

What I don't understand is why the traffic from the VLAN's primary IP subnet destinated to a remote VLAN's secondary IP subnet(range 10.2.0.0 and range 10.20.0.0) is also passing through instead to be blocked by the ACL entries 40 and 50 seeing the ACL is in ingress on the VLAN

Saluti

Omar

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to oguarisco

‎09-10-2009 05:53 AM

What I don't understand is why the traffic from the VLAN's primary IP subnet destinated to a remote VLAN's secondary IP subnet(range 10.2.0.0 and range 10.20.0.0) is also passing through instead to be blocked by the ACL entries 40 and 50 seeing the ACL is in ingress on the VLAN

The egress traffic won't be blocked, you will be blocking the ingress traffic (the return traffic from remote Vlans to your local Vlan).

Keep in mind, most traffic is bidirectional so if you ping from your local Vlan to the remote Vlan, the remote Vlan will receive the ICMP packet but the ICMP reply will be blocked by the ingress ACL.

___

Edison.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card