Re: HSRP and Input Access list

awagih · ‎04-01-2003

Dear all,

I have two cat4006 with sup III in my network, the two switches are connected to gether, also interface Vlans are configured on both switches with HSRP configurations. below is a sample of the configurations for the two switches:

C4K_Pri#

!

interface vlan 2

ip address 172.25.5.2 255.255.255.0

ip address 172.25.4.2 255.255.255.0 sec

standby 2 ip 172.25.5.1

standby 2 pri 150 preempt

standby 3 ip 172.25.4.1

standby 3 pri 150 preempt

!

interface vlan 3

ip address 172.20.5.2 255.255.255.0

standby 3 ip 172.20.5.1

standby 3 pri 150 preempt

!

*********************************************************************************

C4k_Sec#

!

interface vlan 2

ip address 172.25.5.3 255.255.255.0

ip address 172.25.4.3 255.255.255.0 sec

standby 2 ip 172.25.5.1

standby 2 pri 50 preempt

standby 3 ip 172.25.4.1

standby 3 pri 50 preempt

!

interface vlan 3

ip address 172.20.5.3 255.255.255.0

standby 3 ip 172.20.5.1

standby 3 pri 50 preempt

!

everything is working fine, but when i apply the following access list :

"

access-list 101 premit ip 172.25.5.0 0.0.0.255 any

access-list 101 premit ip 172.25.4.0 0.0.0.255 any

access-list 101 permit udp an an

access-list 101 permit ip 224.0.0.0 0.255.255.255 any

access-list 101 deny ip any any

"

in the inbound direction on interface vlan2 on the C4K_Pri switch, I loos communication with this interface i.e. I can not ping the main ip address or even the hsrp address.

So, could anyone has an explenation and is there any workaround for this.

Thanks and best Regards

Ashraf

u346874_2 · ‎04-01-2003

From where you try to ping. What says trace from the device where you ping.

Can you ping from router itself.

awagih · ‎04-01-2003

The following results state which ping fails and which did not using extended ping from the C4K_Sec:

1) Src=172.20.5.3 ==> Des= 172.25.5.2 (Fail)

2) Src=172.20.5.3 ==> Des= 172.25.5.1 (HSRP add.) (Fail)

3) Src=172.20.5.3 ==> Des= 172.25.4.2 (Fail)

4) Src=172.20.5.3 ==> Des= 172.25.4.1 (HSRP add) (Fail)

(i.e from interface vlan 3 as Src and any address of interface vlan 2 on the C4K_Pri as a destination address it fail)

5) Src=172.25.5.3 ==> Des= 172.25.5.2 (OK)

6) Src=172.25.5.3 ==> Des= 172.25.5.1 (OK)

7) Src=172.25.4.3 ==> Des= 172.25.4.2 (OK)

8) Src=172.25.4.3 ==> Des= 172.25.4.1 (OK)

Also when I issue extended ping from the C4K_Pri the following results I got:

1) Src=172.20.5.2 ==> Des= 172.25.5.2 (Fail)

2) Src=172.20.5.2 ==> Des= 172.25.5.1 (Fail)

3) Src=172.20.5.2 ==> Des= 172.25.4.2 (Fail)

4) Src=172.20.5.2 ==> Des= 172.25.4.1 (Fail)

5) Src=172.25.4.2 ==> Des= 172.25.5.2 (Fail)

6) Src=172.25.4.2 ==> Des= 172.25.5.1 (Fail)

also I tried a workstation with IP 172.20.5.10 it failed to ping any IP on interf vlan2 on the C4K_Pri (where the ACL is applied.

I apreciate your help, Thanks

awagih · ‎04-06-2003

Does anyone have an explanation to the above behavior?

Regards

omohamed · ‎04-06-2003

you need to permit 172.20.5.0 0.0.0.255 in the access-list 101..

t.baranski · ‎04-06-2003

I'd suggest putting the 'log-input' keyword in the last line of the access list so that you can see, from the interface's perspective, what's getting dropped. This could shed some light on the situation.

awagih · ‎04-07-2003

I have put the the "log-input" command at the "deny any any" at the end of the access list, and it shows that the access list drops any packet come from the 172.20.5.0

caleb_christiansen · ‎04-13-2003

omohamed is correct, you need to allow the 172.20.5 network in your access list. It is an inbount access-list that you placed on the primary switch only allowing the 172.25.5.X and 172.25.4.X networks into the VLAN 2 switch. You need to add an additional line to allow the 172.20.5 network. as such...

access-list 101 premit ip 172.20.5.0 0.0.0.255 any

Hope this helps...

rjackson · ‎04-14-2003

I dont know if you are psting the list in as you showed us but the first two permit statements are spelled wrong. Those are also the statements needed to make the vlans2 work.

awagih · ‎04-14-2003

Thanks for the reply I applied what you said and it worked fine.

but I wonder why it works? since the access list is in the inbound direction and it permits a subnet that is not sourced from the attached interface (i.e it permites 172.20.5.0/24 as the source address although this subnet does not sourced from interface Vlan 2 where the access list is applied !!!)

can anyone explain it to me?

Thanks and best Regards

Ashraf

matthew.scala · ‎04-14-2003

Question about your HSRP setup. I see you're using standby group 3 for two different VLAN's/interfaces.. am I wrong in saying you can only use one standby group (standby group 3 for example) on only ONE interface (only once?) Lemme know..

- Matt

tselvan · ‎04-14-2003

Hi Matthew,

U can only use one standby group on one interface..

awagih · ‎04-14-2003

You can use only one standby group per VLAN, i.e you can span the same standby group on the whole switch if it has multiple VLANs configured, provided that the standby group used once per VLAN.