09-09-2009 12:35 AM - edited 03-06-2019 07:38 AM
I'm experiencing the following really strange problem: it seems that IP packets are not dropped by the ACL but are forwarded.
On a 3750 I've an interface VLAN where there are configured 3x IP subnets (one primary and two secondary), ip proxy-arp and route-cache same-interface are enabled since are needed.
On the same interface I've also an ACL configured in input....but after doing some tests the IP packets are forwarding indipendently if are destinated to same interface (to other Subnets) or to the rest of the network...
IP primary net 1.1.1.0/24
IP Secondary net 10.1.40.0/22
IP Secondary net 10.2.40.0/22
the ACL is the following
...
20 deny ip 1.1.1.0 0.0.0.255 10.2.40.0 0.0.3.255
30 deny ip 10.1.40.0 0.0.3.255 10.2.40.0 0.0.3.255
40 deny ip 1.1.1.0 0.0.0.255 10.2.0.0 0.0.255.255
50 deny ip 1.1.1.0 0.0.0.255 10.20.0.0 0.0.255.255
60 deny ip 10.1.40.0 0.0.3.255 10.2.0.0 0.0.255.255
70 deny ip 10.1.40.0 0.0.3.255 10.20.0.0 0.0.255.255
80 permit ip 10.2.40.0 0.0.3.255 10.2.0.0 0.0.255.255
90 permit ip 10.2.40.0 0.0.3.255 10.20.0.0 0.0.255.255
100 permit ip 10.2.40.0 0.0.3.255 172.16.0.0 0.0.0.255
110 permit ip 10.2.40.0 0.0.3.255 172.31.255.0 0.0.0.255
120 deny ip 10.2.40.0 0.0.3.255 any
130 permit ip 1.1.1.0 0.0.0.255 any
140 permit ip 10.1.40.0 0.0.3.255 any
150 deny ip any any
IP packets sent from 1.1.1.11 to a local host 10.2.40.10 (secondary subent on the interface) are not blocked by the ACL since the host is responding me...the same behaviour is happening with packet sent from 1.1.1.11 to remote host 10.2.60.10
BTW the tests done were not simple ping since this are permitted in the ACL (no deny icmp are configured)
Has anyone experienced a problem similiar to this?
Any suggestions are appreciated
09-09-2009 05:56 AM
You have the wrong direction on the ACL. It should be 'out' instead of 'in'.
In the egress direction, the source is your subnets listed below and the destination is the remote networks.
In the ingress direction, the source is the remote networks and the destination is your subnets.
HTH,
__
Edison.
09-09-2009 12:35 PM
Hi Edison,
thnx for your answer but I need the ACL in Ingress since the primary and all the secondary IP subnets are checked on ingress on the VLAN to be sure that only the IP subnets defined in the ACL are permitted through the switch (antispoofing check)
If the traffic is from the primary IP subnet destined to a secondary IP subnet on a remote switch connected via an IP Backbone to this switch the ACL should be placed as ingress on the VLAN so that this traffic is dropped near the source IPs...isn't it?
If I understand right to block IP traffic originating from primary IP subnet and destinated to a secondary IP subnet on the same VLAN I should apply an ACL in egress???
But the traffic from two hosts on different IP subnet on the same VLAN is passing to the switch and process/fast switch, so the switch should not be able to block this request since proxy-arp is enabled and the traffic on different IP subnets on the same VLAN pass via the SVI interface of the switch....isn'it?
09-09-2009 12:52 PM
If you need it on ingress, then
deny ip 1.1.1.0 0.0.0.255 10.2.40.0 0.0.3.255
would be
deny ip 10.2.40.0 0.0.3.255 1.1.1.0 0.0.0.255
1.1.1.0/24 is already on that Vlan, so your option is to either block outbound - your first ACL will work -or- block inbound as you want but you need to flip the src|dst pair.
__
Edison.
09-09-2009 11:33 PM
Hi Edison,
Now I've got it about the problem regarding the traffic originating from VLAN's the primary IP subnet destinated to the secondary IP subnet on the same VLAN...that's fine Thanks!!!!
What I don't understand is why the traffic from the VLAN's primary IP subnet destinated to a remote VLAN's secondary IP subnet(range 10.2.0.0 and range 10.20.0.0) is also passing through instead to be blocked by the ACL entries 40 and 50 seeing the ACL is in ingress on the VLAN
Saluti
Omar
09-10-2009 05:53 AM
What I don't understand is why the traffic from the VLAN's primary IP subnet destinated to a remote VLAN's secondary IP subnet(range 10.2.0.0 and range 10.20.0.0) is also passing through instead to be blocked by the ACL entries 40 and 50 seeing the ACL is in ingress on the VLAN
The egress traffic won't be blocked, you will be blocking the ingress traffic (the return traffic from remote Vlans to your local Vlan).
Keep in mind, most traffic is bidirectional so if you ping from your local Vlan to the remote Vlan, the remote Vlan will receive the ICMP packet but the ICMP reply will be blocked by the ingress ACL.
___
Edison.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: