Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL's on VLAN not isolating traffic

I am trying to isolate network 192.168.100.x 255.255.255.0 from the rest of our network.  I have connected the two switches via a cable between port 24 on each, and placed those ports on VLAN700.  When we connect to the isolated network, we still have access to the other networks.  No matter what I do, VLAN700 still says "shutdown" too.  I have posted the config of both switches.  Any suggestions?  Thanks in advance for the assistance.

Configuration of Catalyst 4507:


vtp domain *****
vtp mode transparent
ip subnet-zero
!

no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
power redundancy-mode redundant
!

redundancy
mode sso
!
!
!
vlan internal allocation policy asce
!
vlan 10
!
vlan 100
!
vlan 200
!
vlan 300
!
vlan 400
!
vlan 500
!
vlan 600
!
vlan 700
name wireless
shutdown
!
vlan 800
shutdown
!
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet1/2
!
interface GigabitEthernet2/1
switchport trunk encapsulation dot1q
!
interface GigabitEthernet2/2
!
interface GigabitEthernet3/1

switchport access vlan 100
!
interface GigabitEthernet3/2
switchport access vlan 100
!
interface GigabitEthernet3/3
switchport access vlan 100
!
interface GigabitEthernet3/4
switchport access vlan 100
!
interface GigabitEthernet3/5
switchport access vlan 100
!
interface GigabitEthernet3/6
switchport access vlan 100
!
interface GigabitEthernet4/1
switchport access vlan 100
!
interface GigabitEthernet4/2
switchport access vlan 100
!
interface GigabitEthernet4/3
switchport access vlan 100
!
interface GigabitEthernet4/4
switchport access vlan 100
!
interface GigabitEthernet4/5
switchport access vlan 100
!
interface GigabitEthernet4/6
switchport access vlan 100
!
interface GigabitEthernet5/1
switchport access vlan 100
!
interface GigabitEthernet5/2
switchport access vlan 100
!
interface GigabitEthernet5/3
switchport access vlan 100
!
interface GigabitEthernet5/4
switchport access vlan 100
!
interface GigabitEthernet5/5
switchport access vlan 100
!
interface GigabitEthernet5/6
switchport access vlan 100
!
interface GigabitEthernet6/1
!
interface GigabitEthernet6/2
!
interface GigabitEthernet6/3
!
interface GigabitEthernet6/4
!
interface GigabitEthernet6/5
!
interface GigabitEthernet6/6
!
interface GigabitEthernet7/1

switchport access vlan 500
switchport mode access
!
interface GigabitEthernet7/2
switchport access vlan 600
switchport mode access
!
interface GigabitEthernet7/3
switchport access vlan 400
switchport mode access
!
interface GigabitEthernet7/4
switchport access vlan 200
switchport mode access
!
interface GigabitEthernet7/5
switchport access vlan 300
switchport mode access
!
interface GigabitEthernet7/6
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/7
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/8
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/9
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/10
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/11
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/12
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/13
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/14
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/15
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/16
switchport access vlan 100

switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/17
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/18
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/19
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/20
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/21
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/22
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/23
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/24
switchport access vlan 700
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet7/25
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/26
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/27
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/28
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/29
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/30
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/31
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/32
switchport access vlan 100
switchport mode access

!

interface GigabitEthernet7/33
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/34
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/35
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/36
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/37
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/38
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/39
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/40
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/41
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/42
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/43
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/44
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/45
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/46
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/47
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet7/48
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
!

!
interface Vlan100
  ip address 172.16.0.1 255.255.0.0
ip access-group 101 in
!
interface Vlan200
  ip address 192.168.20.1 255.255.255.0
!
interface Vlan300
  ip address 192.168.30.1 255.255.255.0
!
interface Vlan400
  ip address 192.168.40.1 255.255.255.0
!
interface Vlan500
  ip address 192.168.50.1 255.255.255.0
!
interface Vlan600
  ip address 192.168.60.1 255.255.255.0
!
interface Vlan700
  ip address 192.168.100.24 255.255.255.0
ip access-group 102 in
!
interface Vlan800
ip address 192.168.80.1 255.255.255.0
!
router eigrp 100
redistribute static
network 172.16.0.0
network 192.168.10.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 172.16.0.25
ip route 10.8.2.0 255.255.255.0 172.16.0.111
ip route 10.8.151.0 255.255.255.0 172.16.0.111
ip route 10.9.1.0 255.255.255.0 172.16.0.111
ip route 10.9.2.0 255.255.255.0 172.16.0.111
ip route 10.10.9.0 255.255.255.0 172.16.0.111
ip route 10.10.10.0 255.255.255.0 172.16.0.111
ip route 10.10.120.0 255.255.252.0 172.16.0.111
ip route 10.255.200.0 255.255.255.0 172.16.200.30
ip route 100.15.0.0 255.255.0.0 172.16.0.240
ip route 192.168.15.0 255.255.255.0 172.16.0.12
ip route 192.168.66.0 255.255.255.0 172.16.0.12
ip route 192.168.250.0 255.255.255.0 172.16.0.12
no ip http server
!
!
!
access-list 102 deny   ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any

Configuration of Catalyst 3500XL

!
ip subnet-zero
no ip domain-lookup
!
!
!
interface FastEthernet0/1
spanning-tree portfast
!
interface FastEthernet0/2
spanning-tree portfast
!
interface FastEthernet0/3
spanning-tree portfast
!
interface FastEthernet0/4
spanning-tree portfast
!
interface FastEthernet0/5
spanning-tree portfast
!
interface FastEthernet0/6
spanning-tree portfast
!
interface FastEthernet0/7
spanning-tree portfast
!
interface FastEthernet0/8
spanning-tree portfast
!
interface FastEthernet0/9
spanning-tree portfast
!
interface FastEthernet0/10
spanning-tree portfast
!
interface FastEthernet0/11
spanning-tree portfast
!
interface FastEthernet0/12
spanning-tree portfast
!
interface FastEthernet0/13
spanning-tree portfast
!
interface FastEthernet0/14
spanning-tree portfast
!
interface FastEthernet0/15
spanning-tree portfast

!
interface FastEthernet0/16
spanning-tree portfast
!
interface FastEthernet0/17
spanning-tree portfast
!
interface FastEthernet0/18
spanning-tree portfast
!
interface FastEthernet0/19
spanning-tree portfast
!
interface FastEthernet0/20
spanning-tree portfast
!
interface FastEthernet0/21
spanning-tree portfast
!
interface FastEthernet0/22
spanning-tree portfast
!
interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
switchport access vlan 700
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
!
interface GigabitEthernet0/1
mtu 1600
duplex full
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface VLAN1
ip address 172.16.0.15 255.255.0.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN200
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN700
ip access-group 102 out
no ip directed-broadcast
no ip route-cache
shutdown
!
ip default-gateway 172.16.0.1
snmp-server engineID local 0000000902000004C12B05C0
snmp-server community private RW
snmp-server community public RO

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

Terri

Apparently this wireless router is not capable of routing between subnets. 

Then it's not a wireless router then is it ? 

I think you need to revisit the choice of wireless device because it seems so basic as to be almost unuseable for anything other than home use.

Jon

42 REPLIES
Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

Terri

3500xl switch is L2 only so you can only have 1 L3 vlan interface up at any time and it looks like you are using vlan 1 on the 3500xl. So remove the vlan 700 L3 interface on the 3500xl.

As for isolating traffic, you have an acl applied to L3 vlan interface for vlan 700 on the 4500 switch. So what is not being isolated ie. is it that you can still connect to 172.16.0.x addresses from the 192.168.100.x vlan ?

Also you should update your trunk configs ie.

interface FastEthernet0/24
switchport access vlan 700
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast

remove "switchport access vlan 700" - because it is a trunk

remove "spanning-tree portfast" -  you should never run portfast on a trunk link between 2 switches.

Jon

New Member

Re: ACL's on VLAN not isolating traffic

As for isolating traffic, you have an acl applied to L3 vlan interface for vlan 700 on the 4500 switch. So what is not being isolated ie. is it that you can still connect to 172.16.0.x addresses from the 192.168.100.x vlan ?

Yes.  That's the issue.  We still need for them to be able to get to the internet though, and the firewall has a 172.16.0.x address. 

Thanks for the assistance with the trunk config.  I will fix that pronto!

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

So just to clarify, you have this acl applied to vlan 700 L3 SVI on your 4500 switch -

access-list 102 deny   ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any

and you can still access any 172.16.0.x address from 192.168.100.x devices ?

What does a "sh access-list 102" look like ?

Jon

New Member

Re: ACL's on VLAN not isolating traffic

Yes, we can still access it.  If we connect to the 192.168.100.x network, and

use the Windows Run line to request a server on the 172.16.0.x network, although it prompts for a password, we can see it.

Here's the sh access-list 102 result:

sh access-list 102
Extended IP access list 102
    10 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
    20 permit ip 192.168.100.0 0.0.0.255 any

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

Can you post a "sh vlan brief" from the 4500 switch ?

Jon

New Member

Re: ACL's on VLAN not isolating traffic

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/1, Gi1/2, Gi2/1, Gi2/2
                                                Gi6/1, Gi6/2, Gi6/3, Gi6/4
                                                Gi6/5, Gi6/6, Gi7/48
10                                     active
100                                    active    Gi3/1, Gi3/2, Gi3/3, Gi3/4
                                                Gi3/5, Gi3/6, Gi4/1, Gi4/2
                                                Gi4/3, Gi4/4, Gi4/5, Gi4/6
                                                Gi5/1, Gi5/2, Gi5/3, Gi5/4
                                                Gi5/5, Gi5/6, Gi7/6, Gi7/7
                                                Gi7/8, Gi7/9, Gi7/10, Gi7/11
                                                Gi7/12, Gi7/13, Gi7/14, Gi7/15
                                                Gi7/16, Gi7/17, Gi7/18, Gi7/19
                                                Gi7/20, Gi7/21, Gi7/22, Gi7/23
                                                Gi7/25, Gi7/26, Gi7/27, Gi7/28
                                                Gi7/29, Gi7/30, Gi7/31, Gi7/32
                                                Gi7/33, Gi7/34, Gi7/35, Gi7/36
                                                Gi7/37, Gi7/38, Gi7/39, Gi7/40
                                                Gi7/41, Gi7/42, Gi7/43, Gi7/44
                                                Gi7/45, Gi7/46, Gi7/47
200                                   active    Gi7/4
300                                   active    Gi7/5

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
400                                   active    Gi7/3
500                                   active    Gi7/1
600                                   active    Gi7/2
700                                   act/lshut
800                                   act/lshut
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

Sorry for all the question but it looks like vlan 700 isn't even up at L2 on the 4500. Can you post "sh int trunk" from the 4500.

Jon

New Member

Re: ACL's on VLAN not isolating traffic

Port        Mode         Encapsulation  Status        Native vlan
Gi7/24      on           802.1q         trunking      1

Port      Vlans allowed on trunk
Gi7/24      1-4094

Port        Vlans allowed and active in management domain
Gi7/24      1,10,100,200,300,400,500,600

Port        Vlans in spanning tree forwarding state and not pruned
Gi7/24      1,10,100,200,300,400,500,600

Do I need to set up vlan 700 in the sup module?  Could that be the problem?

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

Terri

vlan 700 is not even active on the trunk link. As Rick says you must have something else going on in your network because if you can connect from a device on the 192.168.100.x network to a device on the 172.16.0.x network it isn't via the 4500 switch.

Jon

Hall of Fame Super Silver

Re: ACL's on VLAN not isolating traffic

Terri

The first issue that I see is that VLAN 700 is shut down.

The second issue that I see is that there are no ports assigned to VLAN 700. With no ports in VLAN 700 there is no traffic for the access list to control.

Perhaps you could help me understand a bit better the topology of your network. Are these two switches the entire network or are there other switches or routers in the network that we do not see? Also where (what ports and what VLANs is the 192.168.100.0 network and what ports and what VLANs is the 172.16.0.0 network)?

HTH

Rick

New Member

Re: ACL's on VLAN not isolating traffic

I think it's because the wireless router is jacked into the wall and into another port on the 3500XL.

The other ports on that switch are on the 172.16.0.x network.   The network is available before it even leaves the 3500XL.

Our network is made up of 6 sites connected by 100 MB fiber connections.  The 4507 is the backbone of our network.  All other sites are vlans on the 4507.  We have a star topology.  All networks can see each other.

Does that help at all?

I started this in this thread:

https://supportforums.cisco.com/message/3064233#3064233

Hall of Fame Super Silver

Re: ACL's on VLAN not isolating traffic

Terri

Since all the ports on the 3500 switch are in the default VLAN (VLAN 1) this means that the traffic from the wireless router (which I assume is the 192.168.100.0 network) is intermixed with the 172.16.0.0 traffic. In that case it will be impossible to separate the 192.168.100.0 traffic.

What I would suggest is that you find where the wireless router is connected to the 3500 switch, put that switch port into a separate VLAN (perhaps VLAN 700). If the 192.168.100.0 traffic is in a separate VLAN they it can be possible to separate it.

HTH

Rick

New Member

Re: ACL's on VLAN not isolating traffic

OK.  I did figure out that I somehow missed adding that port to vlan 700 (big oops!  mea culpa)  Back to my other question then, do I need to add vlan 700 to the sup module of the 4500 in order to make it active there too?

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

lovembsc89 wrote:

OK.  I did figure out that I somehow missed adding that port to vlan 700 (big oops!  mea culpa)  Back to my other question then, do I need to add vlan 700 to the sup module of the 4500 in order to make it active there too?

No, vlan 700 is already on the 4500 but because there are no ports active in vlan 700 it isn't up. Once you allocated a port in vlan 700 on the 3500xl then vlan 700 should become active on the trunk link and that will bring up vlan 700 on the 4500.

Jon

New Member

Re: ACL's on VLAN not isolating traffic

I added port 0/20 on the 3500XL to vlan 700 (???):

interface FastEthernet0/20
switchport access vlan 700
spanning-tree portfast

RC-24-cr1#sh vlan brief
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8,
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12,
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16,
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/21,
                                                Fa0/22, Fa0/23, Gi0/2
10   VLAN0010                         active
200  VLAN0200                         active
600  VLAN0600                         active
700  VLAN0700                         active    Fa0/20
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active

Still showing vlan 700 as act/lshut on 4507:

4507#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- ------------------------------
1    default                          active    Gi1/1, Gi1/2, Gi2/1, Gi2/2
                                                Gi6/1, Gi6/2, Gi6/3, Gi6/4
                                                Gi6/5, Gi6/6, Gi7/48
10                                    active
100                                   active    Gi3/1, Gi3/2, Gi3/3, Gi3/4
                                                Gi3/5, Gi3/6, Gi4/1, Gi4/2
                                                Gi4/3, Gi4/4, Gi4/5, Gi4/6
                                                Gi5/1, Gi5/2, Gi5/3, Gi5/4
                                                Gi5/5, Gi5/6, Gi7/6, Gi7/7
                                                Gi7/8, Gi7/9, Gi7/10, Gi7/11
                                                Gi7/12, Gi7/13, Gi7/14, Gi7/15
                                                Gi7/16, Gi7/17, Gi7/18, Gi7/19
                                                Gi7/20, Gi7/21, Gi7/22, Gi7/23
                                                Gi7/25, Gi7/26, Gi7/27, Gi7/28
                                                Gi7/29, Gi7/30, Gi7/31, Gi7/32
                                                Gi7/33, Gi7/34, Gi7/35, Gi7/36
                                                Gi7/37, Gi7/38, Gi7/39, Gi7/40
                                                Gi7/41, Gi7/42, Gi7/43, Gi7/44
                                                Gi7/45, Gi7/46, Gi7/47
200                                    active    Gi7/4
300                                    active    Gi7/5

VLAN Name                             Status    Ports
---- -------------------------------- --------- ------------------------------
400                                     active    Gi7/3
500                                     active    Gi7/1
600                                   active    Gi7/2
700                                   act/lshut
800  VLAN0800                         act/lshut
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

Terri

On the 4500 -

4500(config)# no vlan 700

4500(config)# vlan 700

4500(config-vlan)# name vlan700

then please post

"sh int trunk" and "sh vlan brief" from the 4500 again.

Jon

New Member

Re: ACL's on VLAN not isolating traffic

Looks good.

4507#sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi7/24      on           802.1q         trunking      1

Port      Vlans allowed on trunk
Gi7/24      1-4094

Port        Vlans allowed and active in management domain
Gi7/24      1,10,100,200,300,400,500,600,700

Port        Vlans in spanning tree forwarding state and not pruned
Gi7/24      1,10,100,200,300,400,500,600
4507#sh vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi1/1, Gi1/2, Gi2/1, Gi2/2
                                                Gi6/1, Gi6/2, Gi6/3, Gi6/4
                                                Gi6/5, Gi6/6, Gi7/48
10                                    active
100                                   active    Gi3/1, Gi3/2, Gi3/3, Gi3/4
                                                Gi3/5, Gi3/6, Gi4/1, Gi4/2
                                                Gi4/3, Gi4/4, Gi4/5, Gi4/6
                                                Gi5/1, Gi5/2, Gi5/3, Gi5/4
                                                Gi5/5, Gi5/6, Gi7/6, Gi7/7
                                                Gi7/8, Gi7/9, Gi7/10, Gi7/11
                                                Gi7/12, Gi7/13, Gi7/14, Gi7/15
                                                Gi7/16, Gi7/17, Gi7/18, Gi7/19
                                                Gi7/20, Gi7/21, Gi7/22, Gi7/23
                                                Gi7/25, Gi7/26, Gi7/27, Gi7/28
                                                Gi7/29, Gi7/30, Gi7/31, Gi7/32
                                                Gi7/33, Gi7/34, Gi7/35, Gi7/36
                                                Gi7/37, Gi7/38, Gi7/39, Gi7/40
                                                Gi7/41, Gi7/42, Gi7/43, Gi7/44
                                                Gi7/45, Gi7/46, Gi7/47
200                                    active    Gi7/4
300                                   active    Gi7/5

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
400                                   active    Gi7/3
500                                   active    Gi7/1
600                                   active    Gi7/2
700  vlan700                          active
800  VLAN0800                         act/lshut
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

Okay, that's better.

Can you try accessing 172.16.0.x from 192.168.0.x now and see.

Edit - just noticed vlan 700 us pruned off the trunk link. On the 3500xl have you allocated a port into vlan 700 ?

Jon

New Member

Re: ACL's on VLAN not isolating traffic

I can still access the 172.16.0.x network from the 192.168.100.x network.

I have allocated port 20 on the 3500XL to vlan700:

interface FastEthernet0/20
switchport access vlan 700
spanning-tree portfast
!
interface FastEthernet0/21
spanning-tree portfast
!
interface FastEthernet0/22
spanning-tree portfast
!
interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk

Thoughts?

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

Terri

Which port(s) are the 192.168.100.x clients attached to ?

Jon

New Member

Re: ACL's on VLAN not isolating traffic

The wireless router is in port 0/24, and the clients are coming through it.

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

I thought port 24 was a trunk link to the 4500 switch.

Lets step back a bit.

On the 4500 you have vlan 700 at L2 and you have a L3 SVI for vlan 700. You have an acl applied to that L3 SVI in an inbound direction denying ip from 192.168.100.x to 172.16.0.x and then allowing all other traffic from 192.168.100.x.

On the 3500xl you have vlan 700 at L2 and you should have allocated the port the wireless router connects into to be in vlan 700. All other ports on the 3500XL switch do not have devices in vlan 700 - is that correct ?

If so can you post output of -

"sh int trunk" from 4500

"sh run" from the 3500XL

Jon

New Member

Re: ACL's on VLAN not isolating traffic

Jon, so sorry, the wireless router is in 0/20 on the 3500XL, not 0/24.  I guess that really was confusing.

Here's what you asked for:

4507#sh int trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi7/24      on           802.1q         trunking      1

Port      Vlans allowed on trunk
Gi7/24      1-4094

Port        Vlans allowed and active in management domain
Gi7/24      1,10,100,200,300,400,500,600,700

Port        Vlans in spanning tree forwarding state and not pruned
Gi7/24      1,10,100,200,300,400,500,600,700
4507#

sh run from 3500XL


!
ip subnet-zero
no ip domain-lookup
!
!
!
interface FastEthernet0/1
spanning-tree portfast
!
interface FastEthernet0/2
spanning-tree portfast
!
interface FastEthernet0/3
spanning-tree portfast
!
interface FastEthernet0/4
spanning-tree portfast
!
interface FastEthernet0/5
spanning-tree portfast
!
interface FastEthernet0/6
spanning-tree portfast
!
interface FastEthernet0/7
spanning-tree portfast
!
interface FastEthernet0/8
spanning-tree portfast
!
interface FastEthernet0/9
spanning-tree portfast
!
interface FastEthernet0/10
spanning-tree portfast
!
interface FastEthernet0/11
spanning-tree portfast
!
interface FastEthernet0/12
spanning-tree portfast
!
interface FastEthernet0/13
spanning-tree portfast
!
interface FastEthernet0/14
spanning-tree portfast
!
interface FastEthernet0/15
spanning-tree portfast
!
interface FastEthernet0/16
spanning-tree portfast
!
interface FastEthernet0/17
spanning-tree portfast
!
interface FastEthernet0/18
spanning-tree portfast
!
interface FastEthernet0/19
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 700
spanning-tree portfast
!
interface FastEthernet0/21
spanning-tree portfast
!
interface FastEthernet0/22
spanning-tree portfast
!
interface FastEthernet0/23
spanning-tree portfast
!
interface FastEthernet0/24
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/1
mtu 1600
duplex full
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport mode trunk
!
interface GigabitEthernet0/2
!
interface VLAN1
ip address 172.16.0.15 255.255.0.0
no ip directed-broadcast
no ip route-cache
!
interface VLAN200
no ip directed-broadcast
no ip route-cache
shutdown
!
ip default-gateway 172.16.0.1
snmp-server engineID local 0000000902000004C12B05C0
snmp-server community private RW
snmp-server community public RO
!
line con 0
transport input none
stopbits 1
line vty 0 4
password 7 120B061611595C
login
line vty 5 15
login
!
end

RC-24-cr1#

Access List info from 4507:

!
interface Vlan700
ip address 192.168.100.24 255.255.255.0
ip access-group 102 in

!
access-list 102 deny   ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
!

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

Terri

From a device on vlan 700 can you do a traceroute to a 172.16.0.x address. If the device is windows the command will be tracert.

After you have done this can you also post the output of "sh access-list 102" from the 4500 switch.

Jon

New Member

Re: ACL's on VLAN not isolating traffic

This tracert is from client 192.168.100.2 using the wireless router, which is 192.168.100.1

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>tracert 172.16.0.43
Tracing route to 172.16.0.43 over a maximum of 30 hops
  1    23 ms     2 ms     2 ms  192.168.100.1
  2    15 ms     2 ms     2 ms  172.16.0.43
Trace complete.

4507#sh access-list 102
Extended IP access list 102
    10 deny ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.0.255
    20 permit ip 192.168.100.0 0.0.0.255 any
4507#

New Member

Re: ACL's on VLAN not isolating traffic

We had a jack mislabled, so now that the correct cable is in the correct switch port, we are not seeing any other networks besides 192.168.100.x .  That means, of course, that there is no internet connectivity, because, as I mentioned before, the firewall interface is 172.16.0.25.

Thoughts?

Hall of Fame Super Blue

Re: ACL's on VLAN not isolating traffic

Terri

The fact that the firewall has a 172.16.0.x address should not stop your clients accessing the internet because they will never use the firewall address as the destination address ie. when they connect to the internet they are using destination addresses on the internet. Your acl will allow this traffic because the destination address is not the firewall.

Have you set up NAT correctly for the 192.168.100.x network on the firewall.

Does the firewall know how to route back to the 192.168.100.x network ie. does your firewall have a route along the lines of -

route  192.168.100.0 255.255.255.0  <172.16.0.x address on 4500 switch>

note the syntax might be different depending on your firewall.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

New Member

Re: ACL's on VLAN not isolating traffic

Wireless router can now only see clients and itself.  I cannot ping the ip address of the vlan on the 4507 (192.168.100.24).   There is no way to set a gateway on the 3COM OfficeConnect 109Mbps Cable/DSL router, as it uses itself as the gateway for the clients.  When I tracert to the vlan address from the client, I get no reply.  If I need to set a route on the 4507, I would have no idea what it would be, since the vlan is on the same network as the 3Com.

Ideas?

Hall of Fame Super Silver

Re: ACL's on VLAN not isolating traffic

Terri

I think that the suggestion from Jon in a previous post that we step  back and try to understand the network is a very good idea. In previous posts you have talked about a wireless router and in this post you talk about  3COM OfficeConnect 109Mbps Cable/DSL router. Is this the wireless router or is it different?

If I am understanding correctly you have client workstations connected to some wireless router and the clients have addresses in the network 192.168.100.0, and they probably are assigned those addresses by the wireless router which acts as a DHCP server for its LAN subnet. If that is the case then I am guessing that where the wireless router is connected to the switch is not using an address in 192.168.100.0. And most wireless routers are set to perform address translation when traffic from their "LAN" stations is forwarded out their "WAN" interface. So I suggest that you investigate your wireless router and determine what address it is using on its "WAN" interface and whether it is performing address translation for the client workstations. When we know that we will be in much better position to know what you must do on your switch.

HTH

Rick

2060
Views
86
Helpful
42
Replies
CreatePlease to create content