Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

Interface vlan - ACL - pinging issues.

I'm trying to understand why an ACL which is applied to an interface vlan is affecting the traffic for a different interface vlan.

Both vlans are configured on the same device and there's a trunk connecting the "access" switch to the "distribution" switch.

so, what we have is:

UD-1 UD-1B

\ /

UA

Int vlan are configured in both UDs and the vlan is allowed in the trunk that connects the UD to the UA.

There's an ACL blocking traffic to the int vlan 225 ip that is configured in the UA, but there's no ACL on the vlan 185 (the same IP that Im trying to ping).

So , why is this happening?

configs:

UD-1A:

interface Vlan185

ip address 10.8.185.3 255.255.255.0

interface Vlan225

ip address 10.18.225.3 255.255.255.0

ip access-group ud1 in

int gi1/1

interface GigabitEthernet1/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 225

switchport trunk allowed vlan 185,225

switchport mode trunk

---------------------------

UD-1B

interface Vlan185

ip address 10.8.185.4 255.255.255.0

interface Vlan225

ip address 10.18.225.4 255.255.255.0

ip access-group al_rpf_sre_ud1_pro in

interface GigabitEthernet4/4

switchport trunk encapsulation dot1q

switchport trunk native vlan 225

switchport trunk allowed vlan 185,225

switchport mode trunk

-----------------------------

interface Vlan185

ip address 10.8.185.7 255.255.255.0

ip access-group ro in

interface GigabitEthernet1/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 225

switchport trunk allowed vlan 185,225

switchport mode trunk

interface GigabitEthernet1/2

switchport trunk encapsulation dot1q

switchport trunk native vlan 225

switchport trunk allowed vlan 185,225

switchport mode trunk

------------------

so, when I ping 10.8.185.7

I get:

GMT-3: ICMP: dst (10.8.185.7) administratively prohibited unreachable rcv from 10.8.185.4

%SEC-6-IPACCESSLOGDP: list ud1 denied icmp 10.8.185.7 (GigabitEthernet1/1) -> 10.18.232.58 (0/0), 3 packets

-------------------

anybody?

2 REPLIES
Purple

Re: Interface vlan - ACL - pinging issues.

Hi,

I believe that this is what is happening... You are pinging from the 10.18.232.58 address. This packet has to be inter-vlan routed from vlan 225 to 185. Since the packet enters interface vlan225 in an inbound direction, the inbound ACL applied to vlan225 is applied to the packet. The packet is denied by this ACL and that's why you see the error.

In such cases you have to consider ACLs applied to both the VLAN you are coming from as well as the VLAN you are going to.

Hope that helps - pls rate the post if it does.

Paresh

Re: Interface vlan - ACL - pinging issues.

Hello Paresh,

thanks for replying.

But, actually I dont think this is what happening.

Because 10.18.232.58 comes from an uplink - core router, which enters from a different interface.

Let me give you the configs:

uplinks:

interface GigabitEthernet3/1

no switchport

ip address 10.18.192.26 255.255.255.252

And the core are doing load-balancing to reach the UA.

So, icmp packets are arriving from these 2 interfaces, the uplink gi3/1 (router port) and from the link that connects the UA switch.

so, pinging from the BC you have 2 ways to get to the UA, from UD1 and UD1-B, when it reaches UD1-B it goes to the vlan (ie. goes down to the UA and up to UD1A).

Not sure if this is helping.

If you need any other info let me know.

this is killing me.

146
Views
0
Helpful
2
Replies
CreatePlease to create content