Solved: Re: ACL's on VLAN not isolating traffic - Page 2

lovembsc89 · ‎05-18-2010

I am trying to isolate network 192.168.100.x 255.255.255.0 from the rest of our network. I have connected the two switches via a cable between port 24 on each, and placed those ports on VLAN700. When we connect to the isolated network, we still have access to the other networks. No matter what I do, VLAN700 still says "shutdown" too. I have posted the config of both switches. Any suggestions? Thanks in advance for the assistance.

Configuration of Catalyst 4507:

vtp domain *****
vtp mode transparent
ip subnet-zero
!

no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
power redundancy-mode redundant
!

redundancy
mode sso
!
!
!
vlan internal allocation policy asce
!
vlan 10
!
vlan 100
!
vlan 200
!
vlan 300
!
vlan 400
!
vlan 500
!
vlan 600
!
vlan 700
name wireless
shutdown
!
vlan 800
shutdown
!
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/2
!
interface GigabitEthernet2/1
switchport trunk encapsulation dot1q
!
interface GigabitEthernet2/2
!
interface GigabitEthernet3/1

switchport access vlan 100
!
interface GigabitEthernet3/2
switchport access vlan 100
!
interface GigabitEthernet3/3
switchport access vlan 100
!
interface GigabitEthernet3/4
switchport access vlan 100
!
interface GigabitEthernet3/5
switchport access vlan 100
!
interface GigabitEthernet3/6
switchport access vlan 100
!
interface GigabitEthernet4/1
switchport access vlan 100
!
interface GigabitEthernet4/2
switchport access vlan 100
!
interface GigabitEthernet4/3
switchport access vlan 100
!
interface GigabitEthernet4/4
switchport access vlan 100
!
interface GigabitEthernet4/5
switchport access vlan 100
!
interface GigabitEthernet4/6
switchport access vlan 100
!
interface GigabitEthernet5/1
switchport access vlan 100
!
interface GigabitEthernet5/2
switchport access vlan 100
!
interface GigabitEthernet5/3
switchport access vlan 100
!
interface GigabitEthernet5/4
switchport access vlan 100
!
interface GigabitEthernet5/5
switchport access vlan 100
!
interface GigabitEthernet5/6
switchport access vlan 100
!
interface GigabitEthernet6/1
!
interface GigabitEthernet6/2
!
interface GigabitEthernet6/3
!
interface GigabitEthernet6/4
!
interface GigabitEthernet6/5
!
interface GigabitEthernet6/6
!
interface GigabitEthernet7/1

switchport access vlan 500
switchport mode access
!
interface GigabitEthernet7/2
switchport access vlan 600
switchport mode access
!
interface GigabitEthernet7/3
switchport access vlan 400
switchport mode access
!
interface GigabitEthernet7/4
switchport access vlan 200
switchport mode access
!
interface GigabitEthernet7/5
switchport access vlan 300
switchport mode access
!
interface GigabitEthernet7/6
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/7
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/8
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/9
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/10
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/11
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/12
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/13
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/14
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/15
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/16
switchport access vlan 100

switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/17
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/18
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/19
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/20
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/21
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/22
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/23
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/24
switchport access vlan 700
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet7/25
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/26
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/27
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/28
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/29
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/30
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/31
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/32
switchport access vlan 100
switchport mode access

!

interface GigabitEthernet7/33
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/34
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/35
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/36
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/37
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/38
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/39
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/40
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/41
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/42
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/43
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/44
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/45
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/46
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/47
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/48
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
!

!
interface Vlan100
ip address 172.16.0.1 255.255.0.0
ip access-group 101 in
!
interface Vlan200
ip address 192.168.20.1 255.255.255.0
!
interface Vlan300
ip address 192.168.30.1 255.255.255.0
!
interface Vlan400
ip address 192.168.40.1 255.255.255.0
!
interface Vlan500
ip address 192.168.50.1 255.255.255.0
!
interface Vlan600
ip address 192.168.60.1 255.255.255.0
!
interface Vlan700
ip address 192.168.100.24 255.255.255.0
ip access-group 102 in
!
interface Vlan800
ip address 192.168.80.1 255.255.255.0
!
router eigrp 100
redistribute static
network 172.16.0.0
network 192.168.10.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 172.16.0.25
ip route 10.8.2.0 255.255.255.0 172.16.0.111
ip route 10.8.151.0 255.255.255.0 172.16.0.111
ip route 10.9.1.0 255.255.255.0 172.16.0.111
ip route 10.9.2.0 255.255.255.0 172.16.0.111
ip route 10.10.9.0 255.255.255.0 172.16.0.111
ip route 10.10.10.0 255.255.255.0 172.16.0.111
ip route 10.10.120.0 255.255.252.0 172.16.0.111
ip route 10.255.200.0 255.255.255.0 172.16.200.30
ip route 100.15.0.0 255.255.0.0 172.16.0.240
ip route 192.168.15.0 255.255.255.0 172.16.0.12
ip route 192.168.66.0 255.255.255.0 172.16.0.12
ip route 192.168.250.0 255.255.255.0 172.16.0.12
no ip http server
!
!
!
access-list 102 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any

Configuration of Catalyst 3500XL

!
ip subnet-zero
no ip domain-lookup
!
!
!
interface FastEthernet0/1
spanning-tree portfast
!
interface FastEthernet0/2
spanning-tree portfast
!
interface FastEthernet0/3
spanning-tree portfast
!
interface FastEthernet0/4
spanning-tree portfast
!
interface FastEthernet0/5
spanning-tree portfast
!
interface FastEthernet0/6
spanning-tree portfast
!
interface FastEthernet0/7
spanning-tree portfast
!
interface FastEthernet0/8
spanning-tree portfast
!
interface FastEthernet0/9
spanning-tree portfast
!
interface FastEthernet0/10
spanning-tree portfast
!
interface FastEthernet0/11
spanning-tree portfast
!
interface FastEthernet0/12
spanning-tree portfast
!
interface FastEthernet0/13
spanning-tree portfast
!
interface FastEthernet0/14
spanning-tree portfast
!
interface FastEthernet0/15
spanning-tree portfast

!
interface FastEthernet0/16
spanning-tree portfast
!
interface FastEthernet0/17
spanning-tree portfast
!
interface FastEthernet0/18
spanning-tree portfast
!
interface FastEthernet0/19
spanning-tree portfast
!
interface FastEthernet0/20
spanning-tree portfast
!
interface FastEthernet0/21
spanning-tree portfast
!
interface FastEthernet0/22
spanning-tree portfast
!
interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
switchport access vlan 700
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/1
mtu 1600
duplex full
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface VLAN1
ip address 172.16.0.15 255.255.0.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN200
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN700
ip access-group 102 out
no ip directed-broadcast
no ip route-cache
shutdown
!
ip default-gateway 172.16.0.1
snmp-server engineID local 0000000902000004C12B05C0
snmp-server community private RW
snmp-server community public RO

lovembsc89 · ‎05-18-2010

I added port 0/20 on the 3500XL to vlan 700 (???):

interface FastEthernet0/20
switchport access vlan 700
spanning-tree portfast

RC-24-cr1#sh vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8,
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12,
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16,
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/21,
                                                Fa0/22, Fa0/23, Gi0/2
10   VLAN0010                         active
200 VLAN0200                         active
600 VLAN0600                         active
700 VLAN0700                         active    Fa0/20
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active

Still showing vlan 700 as act/lshut on 4507:

4507#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- ------------------------------
1    default                          active    Gi1/1, Gi1/2, Gi2/1, Gi2/2
                                                Gi6/1, Gi6/2, Gi6/3, Gi6/4
                                                Gi6/5, Gi6/6, Gi7/48
10                                    active
100                                   active    Gi3/1, Gi3/2, Gi3/3, Gi3/4
                                                Gi3/5, Gi3/6, Gi4/1, Gi4/2
                                                Gi4/3, Gi4/4, Gi4/5, Gi4/6
                                                Gi5/1, Gi5/2, Gi5/3, Gi5/4
                                                Gi5/5, Gi5/6, Gi7/6, Gi7/7
                                                Gi7/8, Gi7/9, Gi7/10, Gi7/11
                                                Gi7/12, Gi7/13, Gi7/14, Gi7/15
                                                Gi7/16, Gi7/17, Gi7/18, Gi7/19
                                                Gi7/20, Gi7/21, Gi7/22, Gi7/23
                                                Gi7/25, Gi7/26, Gi7/27, Gi7/28
                                                Gi7/29, Gi7/30, Gi7/31, Gi7/32
                                                Gi7/33, Gi7/34, Gi7/35, Gi7/36
                                                Gi7/37, Gi7/38, Gi7/39, Gi7/40
                                                Gi7/41, Gi7/42, Gi7/43, Gi7/44
                                                Gi7/45, Gi7/46, Gi7/47
200                                    active    Gi7/4
300                                    active    Gi7/5

VLAN Name                             Status    Ports
---- -------------------------------- --------- ------------------------------
400                                     active    Gi7/3
500                                     active    Gi7/1
600                                   active    Gi7/2
700                                   act/lshut
800 VLAN0800                         act/lshut
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Jon Marshall · ‎05-18-2010

Terri

On the 4500 -

4500(config)# no vlan 700

4500(config)# vlan 700

4500(config-vlan)# name vlan700

then please post

"sh int trunk" and "sh vlan brief" from the 4500 again.

Jon

lovembsc89 · ‎05-18-2010

Looks good.

4507#sh int trunk

Port Mode Encapsulation Status Native vlan
Gi7/24 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi7/24 1-4094

Port Vlans allowed and active in management domain
Gi7/24 1,10,100,200,300,400,500,600,700

Port Vlans in spanning tree forwarding state and not pruned
Gi7/24 1,10,100,200,300,400,500,600
4507#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/1, Gi1/2, Gi2/1, Gi2/2
                                                Gi6/1, Gi6/2, Gi6/3, Gi6/4
                                                Gi6/5, Gi6/6, Gi7/48
10                                    active
100                                   active    Gi3/1, Gi3/2, Gi3/3, Gi3/4
                                                Gi3/5, Gi3/6, Gi4/1, Gi4/2
                                                Gi4/3, Gi4/4, Gi4/5, Gi4/6
                                                Gi5/1, Gi5/2, Gi5/3, Gi5/4
                                                Gi5/5, Gi5/6, Gi7/6, Gi7/7
                                                Gi7/8, Gi7/9, Gi7/10, Gi7/11
                                                Gi7/12, Gi7/13, Gi7/14, Gi7/15
                                                Gi7/16, Gi7/17, Gi7/18, Gi7/19
                                                Gi7/20, Gi7/21, Gi7/22, Gi7/23
                                                Gi7/25, Gi7/26, Gi7/27, Gi7/28
                                                Gi7/29, Gi7/30, Gi7/31, Gi7/32
                                                Gi7/33, Gi7/34, Gi7/35, Gi7/36
                                                Gi7/37, Gi7/38, Gi7/39, Gi7/40
                                                Gi7/41, Gi7/42, Gi7/43, Gi7/44
                                                Gi7/45, Gi7/46, Gi7/47
200                                    active    Gi7/4
300                                   active    Gi7/5

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
400                                   active    Gi7/3
500                                   active    Gi7/1
600                                   active    Gi7/2
700 vlan700                          active
800 VLAN0800                         act/lshut
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Jon Marshall · ‎05-18-2010

Okay, that's better.

Can you try accessing 172.16.0.x from 192.168.0.x now and see.

Edit - just noticed vlan 700 us pruned off the trunk link. On the 3500xl have you allocated a port into vlan 700 ?

Jon

lovembsc89 · ‎05-18-2010

I can still access the 172.16.0.x network from the 192.168.100.x network.

I have allocated port 20 on the 3500XL to vlan700:

interface FastEthernet0/20
switchport access vlan 700
spanning-tree portfast
!
interface FastEthernet0/21
spanning-tree portfast
!
interface FastEthernet0/22
spanning-tree portfast
!
interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk

Thoughts?

Jon Marshall · ‎05-18-2010

Terri

Which port(s) are the 192.168.100.x clients attached to ?

Jon

lovembsc89 · ‎05-18-2010

The wireless router is in port 0/24, and the clients are coming through it.

Jon Marshall · ‎05-18-2010

I thought port 24 was a trunk link to the 4500 switch.

Lets step back a bit.

On the 4500 you have vlan 700 at L2 and you have a L3 SVI for vlan 700. You have an acl applied to that L3 SVI in an inbound direction denying ip from 192.168.100.x to 172.16.0.x and then allowing all other traffic from 192.168.100.x.

On the 3500xl you have vlan 700 at L2 and you should have allocated the port the wireless router connects into to be in vlan 700. All other ports on the 3500XL switch do not have devices in vlan 700 - is that correct ?

If so can you post output of -

"sh int trunk" from 4500

"sh run" from the 3500XL

Jon

lovembsc89 · ‎05-18-2010

Jon, so sorry, the wireless router is in 0/20 on the 3500XL, not 0/24. I guess that really was confusing.

Here's what you asked for:

4507#sh int trunk

Port Mode Encapsulation Status Native vlan
Gi7/24 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi7/24 1-4094

Port Vlans allowed and active in management domain
Gi7/24 1,10,100,200,300,400,500,600,700

Port Vlans in spanning tree forwarding state and not pruned
Gi7/24 1,10,100,200,300,400,500,600,700
4507#

sh run from 3500XL

!
ip subnet-zero
no ip domain-lookup
!
!
!
interface FastEthernet0/1
spanning-tree portfast
!
interface FastEthernet0/2
spanning-tree portfast
!
interface FastEthernet0/3
spanning-tree portfast
!
interface FastEthernet0/4
spanning-tree portfast
!
interface FastEthernet0/5
spanning-tree portfast
!
interface FastEthernet0/6
spanning-tree portfast
!
interface FastEthernet0/7
spanning-tree portfast
!
interface FastEthernet0/8
spanning-tree portfast
!
interface FastEthernet0/9
spanning-tree portfast
!
interface FastEthernet0/10
spanning-tree portfast
!
interface FastEthernet0/11
spanning-tree portfast
!
interface FastEthernet0/12
spanning-tree portfast
!
interface FastEthernet0/13
spanning-tree portfast
!
interface FastEthernet0/14
spanning-tree portfast
!
interface FastEthernet0/15
spanning-tree portfast
!
interface FastEthernet0/16
spanning-tree portfast
!
interface FastEthernet0/17
spanning-tree portfast
!
interface FastEthernet0/18
spanning-tree portfast
!
interface FastEthernet0/19
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 700
spanning-tree portfast
!
interface FastEthernet0/21
spanning-tree portfast
!
interface FastEthernet0/22
spanning-tree portfast
!
interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/1
mtu 1600
duplex full
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface VLAN1
ip address 172.16.0.15 255.255.0.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN200
no ip directed-broadcast
no ip route-cache
shutdown
!
ip default-gateway 172.16.0.1
snmp-server engineID local 0000000902000004C12B05C0
snmp-server community private RW
snmp-server community public RO
!
line con 0
transport input none
stopbits 1
line vty 0 4
password 7 120B061611595C
login
line vty 5 15
login
!
end

RC-24-cr1#

Access List info from 4507:

!
interface Vlan700
ip address 192.168.100.24 255.255.255.0
ip access-group 102 in

!
access-list 102 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
!

Jon Marshall · ‎05-18-2010

Terri

From a device on vlan 700 can you do a traceroute to a 172.16.0.x address. If the device is windows the command will be tracert.

After you have done this can you also post the output of "sh access-list 102" from the 4500 switch.

Jon

lovembsc89 · ‎05-18-2010

This tracert is from client 192.168.100.2 using the wireless router, which is 192.168.100.1

C:\Documents and Settings\Administrator>tracert 172.16.0.43

Tracing route to 172.16.0.43 over a maximum of 30 hops

1 23 ms 2 ms 2 ms 192.168.100.1
2 15 ms 2 ms 2 ms 172.16.0.43

Trace complete.

4507#sh access-list 102
Extended IP access list 102
10 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
20 permit ip 192.168.100.0 0.0.0.255 any
4507#

lovembsc89 · ‎05-18-2010

We had a jack mislabled, so now that the correct cable is in the correct switch port, we are not seeing any other networks besides 192.168.100.x . That means, of course, that there is no internet connectivity, because, as I mentioned before, the firewall interface is 172.16.0.25.

Thoughts?

Jon Marshall · ‎05-18-2010

Terri

The fact that the firewall has a 172.16.0.x address should not stop your clients accessing the internet because they will never use the firewall address as the destination address ie. when they connect to the internet they are using destination addresses on the internet. Your acl will allow this traffic because the destination address is not the firewall.

Have you set up NAT correctly for the 192.168.100.x network on the firewall.

Does the firewall know how to route back to the 192.168.100.x network ie. does your firewall have a route along the lines of -

route 192.168.100.0 255.255.255.0 <172.16.0.x address on 4500 switch>

note the syntax might be different depending on your firewall.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

lovembsc89 · ‎05-19-2010

Wireless router can now only see clients and itself. I cannot ping the ip address of the vlan on the 4507 (192.168.100.24). There is no way to set a gateway on the 3COM OfficeConnect 109Mbps Cable/DSL router, as it uses itself as the gateway for the clients. When I tracert to the vlan address from the client, I get no reply. If I need to set a route on the 4507, I would have no idea what it would be, since the vlan is on the same network as the 3Com.

Ideas?

Richard Burts · ‎05-19-2010

Terri

I think that the suggestion from Jon in a previous post that we step back and try to understand the network is a very good idea. In previous posts you have talked about a wireless router and in this post you talk about 3COM OfficeConnect 109Mbps Cable/DSL router. Is this the wireless router or is it different?

If I am understanding correctly you have client workstations connected to some wireless router and the clients have addresses in the network 192.168.100.0, and they probably are assigned those addresses by the wireless router which acts as a DHCP server for its LAN subnet. If that is the case then I am guessing that where the wireless router is connected to the switch is not using an address in 192.168.100.0. And most wireless routers are set to perform address translation when traffic from their "LAN" stations is forwarded out their "WAN" interface. So I suggest that you investigate your wireless router and determine what address it is using on its "WAN" interface and whether it is performing address translation for the client workstations. When we know that we will be in much better position to know what you must do on your switch.

HTH

Rick

HTH

Rick