Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HSRP and Input Access list

Dear all,

I have two cat4006 with sup III in my network, the two switches are connected to gether, also interface Vlans are configured on both switches with HSRP configurations. below is a sample of the configurations for the two switches:

C4K_Pri#

!

interface vlan 2

ip address 172.25.5.2 255.255.255.0

ip address 172.25.4.2 255.255.255.0 sec

standby 2 ip 172.25.5.1

standby 2 pri 150 preempt

standby 3 ip 172.25.4.1

standby 3 pri 150 preempt

!

interface vlan 3

ip address 172.20.5.2 255.255.255.0

standby 3 ip 172.20.5.1

standby 3 pri 150 preempt

!

*********************************************************************************

C4k_Sec#

!

interface vlan 2

ip address 172.25.5.3 255.255.255.0

ip address 172.25.4.3 255.255.255.0 sec

standby 2 ip 172.25.5.1

standby 2 pri 50 preempt

standby 3 ip 172.25.4.1

standby 3 pri 50 preempt

!

interface vlan 3

ip address 172.20.5.3 255.255.255.0

standby 3 ip 172.20.5.1

standby 3 pri 50 preempt

!

everything is working fine, but when i apply the following access list :

"

access-list 101 premit ip 172.25.5.0 0.0.0.255 any

access-list 101 premit ip 172.25.4.0 0.0.0.255 any

access-list 101 permit udp an an

access-list 101 permit ip 224.0.0.0 0.255.255.255 any

access-list 101 deny ip any any

"

in the inbound direction on interface vlan2 on the C4K_Pri switch, I loos communication with this interface i.e. I can not ping the main ip address or even the hsrp address.

So, could anyone has an explenation and is there any workaround for this.

Thanks and best Regards

Ashraf

12 REPLIES
New Member

Re: HSRP and Input Access list

From where you try to ping. What says trace from the device where you ping.

Can you ping from router itself.

New Member

Re: HSRP and Input Access list

The following results state which ping fails and which did not using extended ping from the C4K_Sec:

1) Src=172.20.5.3 ==> Des= 172.25.5.2 (Fail)

2) Src=172.20.5.3 ==> Des= 172.25.5.1 (HSRP add.) (Fail)

3) Src=172.20.5.3 ==> Des= 172.25.4.2 (Fail)

4) Src=172.20.5.3 ==> Des= 172.25.4.1 (HSRP add) (Fail)

(i.e from interface vlan 3 as Src and any address of interface vlan 2 on the C4K_Pri as a destination address it fail)

5) Src=172.25.5.3 ==> Des= 172.25.5.2 (OK)

6) Src=172.25.5.3 ==> Des= 172.25.5.1 (OK)

7) Src=172.25.4.3 ==> Des= 172.25.4.2 (OK)

8) Src=172.25.4.3 ==> Des= 172.25.4.1 (OK)

Also when I issue extended ping from the C4K_Pri the following results I got:

1) Src=172.20.5.2 ==> Des= 172.25.5.2 (Fail)

2) Src=172.20.5.2 ==> Des= 172.25.5.1 (Fail)

3) Src=172.20.5.2 ==> Des= 172.25.4.2 (Fail)

4) Src=172.20.5.2 ==> Des= 172.25.4.1 (Fail)

5) Src=172.25.4.2 ==> Des= 172.25.5.2 (Fail)

6) Src=172.25.4.2 ==> Des= 172.25.5.1 (Fail)

also I tried a workstation with IP 172.20.5.10 it failed to ping any IP on interf vlan2 on the C4K_Pri (where the ACL is applied.

I apreciate your help, Thanks

New Member

Re: HSRP and Input Access list

Does anyone have an explanation to the above behavior?

Regards

New Member

Re: HSRP and Input Access list

you need to permit 172.20.5.0 0.0.0.255 in the access-list 101..

Bronze

Re: HSRP and Input Access list

I'd suggest putting the 'log-input' keyword in the last line of the access list so that you can see, from the interface's perspective, what's getting dropped. This could shed some light on the situation.

New Member

Re: HSRP and Input Access list

I have put the the "log-input" command at the "deny any any" at the end of the access list, and it shows that the access list drops any packet come from the 172.20.5.0

Re: HSRP and Input Access list

omohamed is correct, you need to allow the 172.20.5 network in your access list. It is an inbount access-list that you placed on the primary switch only allowing the 172.25.5.X and 172.25.4.X networks into the VLAN 2 switch. You need to add an additional line to allow the 172.20.5 network. as such...

access-list 101 premit ip 172.20.5.0 0.0.0.255 any

Hope this helps...

Bronze

Re: HSRP and Input Access list

I dont know if you are psting the list in as you showed us but the first two permit statements are spelled wrong. Those are also the statements needed to make the vlans2 work.

New Member

Re: HSRP and Input Access list

Thanks for the reply I applied what you said and it worked fine.

but I wonder why it works? since the access list is in the inbound direction and it permits a subnet that is not sourced from the attached interface (i.e it permites 172.20.5.0/24 as the source address although this subnet does not sourced from interface Vlan 2 where the access list is applied !!!)

can anyone explain it to me?

Thanks and best Regards

Ashraf

New Member

Re: HSRP and Input Access list

Question about your HSRP setup. I see you're using standby group 3 for two different VLAN's/interfaces.. am I wrong in saying you can only use one standby group (standby group 3 for example) on only ONE interface (only once?) Lemme know..

- Matt

New Member

Re: HSRP and Input Access list

Hi Matthew,

U can only use one standby group on one interface..

New Member

Re: HSRP and Input Access list

You can use only one standby group per VLAN, i.e you can span the same standby group on the whole switch if it has multiple VLANs configured, provided that the standby group used once per VLAN.

304
Views
0
Helpful
12
Replies