Campus Switching and Routing

Reply
New Contributor

2930F Access list issues

Hi guys,

 

Ive been tasked to integrate a 2930F switch to a Fortigate  firewall and 2 other 1820-48G switches down stream (VLAN trunked) to it.

I've separated out the 2930F to do a trial / PoC on my own prior to deployment and have encountered some issues which i need help (or where I went wrong)

 

Basically there are 7 VLANs:

- VLAN1 (directly routed to the firewall via a static route for all the respective subnets)

- VLAN10 (IP-Phones)

- VLAN20 (CCTV)

- VLAN30 (Corp WLAN)

- VLAN32 (Guest WLAN)

- VLAN40 (Corp LAN)

- VLAN100 (Server LAN)

 

The goal was simple (or so i thought), to create an access list to - Not allow VLAN 10,20,32 to reach VLAN100.

I proceeded to create the following access list as per most of the documents have advised:

ip access-list extended "TEST"
10 deny ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 log
20 deny ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 log
30 deny ip 192.168.32.0 255.255.255.0 192.168.2.0 255.255.255.0 log
40 deny ip 192.168.33.0 255.255.255.0 192.168.2.0 255.255.255.0 log
50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

I've placed the access list in the following VLAN:

vlan 100
name "SVRS"
untagged 1
ip access-group "TEST" in
ip address 192.168.2.1 255.255.255.0
dhcp-server
exit

The odd issue here is, the "DENY" on the ACL, does not seem to be working.

With the above ACL in place, I am still able to reach the machine on .2 network with a test machine on .10. 

What am I missing out?

Contributor I

Re: 2930F Access list issues

Configure the ACL at vlan 10,20,32 or at the acl to vlan 100 as a outbound acl instead of a inbound
Willem Bargeman
ACCX #822 | ACMP
New Contributor

Re: 2930F Access list issues


@willembargemanwrote:
Configure the ACL at vlan 10,20,32 or at the acl to vlan 100 as a outbound acl instead of a inbound

This is the odd result I'm getting.

Just for testing, changed the access-list to (just to narrow down to 1 subnet):

ACL:

ip access-list extended "TEST"
     10 deny ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 log
     20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

VLAN10 interface:

vlan 10
   name "VLAN10"
   untagged 2
   ip access-group "TEST" out
   ip address 192.168.10.1 255.255.255.0
   voice
   dhcp-server

Since the ACL direction is outbound from VLAN10, for some odd reason, the ACL is not working:

CORE# sh statistics aclv4 TEST vlan 10 out

 Hit Counts for ACL TEST

  Total
(       0 )    10 deny ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0
 log
(     254 )    20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

I am still able to ping 192.168.2.51 (a test machine sitting in VLAN100). via a machine at VLAN10 - 192.168.10.11

 

The above statistics show it  is simply "passing through" the deny.

 

Routing table:

CORE#  sh ip route

                                IP Route Entries

  Destination        Gateway         VLAN Type      Sub-Type   Metric     Dist.
  ------------------ --------------- ---- --------- ---------- ---------- -----
  0.0.0.0/0          172.16.1.1      1    static               1          1
  127.0.0.0/8        reject               static               0          0
  127.0.0.1/32       lo0                  connected            1          0
  172.16.1.0/24      DEFAULT_VLAN    1    connected            1          0
  192.168.2.0/24     SVRS            100  connected            1          0
  192.168.10.0/24    VLAN10          10   connected            1          0
Contributor I

Re: 2930F Access list issues

Hi,

 

The subnet mask is a inverse mask. This is the reason why the ACL is not working. Please try to change the ACL to the following

 

ip access-list extended "TEST"
10 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log
20 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255 log
30 deny ip 192.168.32.0 0.0.0.255 192.168.2.0 0.0.0.255 log
40 deny ip 192.168.33.0 0.0.0.255 192.168.2.0 0.0.0.255 log
50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 

I would advise to at this ACL as a inbound ACL to each VLAN which you want to block traffic from.

Willem Bargeman
ACCX #822 | ACMP
New Contributor

Re: 2930F Access list issues


@willembargemanwrote:

Hi,

 

The subnet mask is a inverse mask. This is the reason why the ACL is not working. Please try to change the ACL to the following

 

ip access-list extended "TEST"
10 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log
20 deny ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255 log
30 deny ip 192.168.32.0 0.0.0.255 192.168.2.0 0.0.0.255 log
40 deny ip 192.168.33.0 0.0.0.255 192.168.2.0 0.0.0.255 log
50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 

I would advise to at this ACL as a inbound ACL to each VLAN which you want to block traffic from.


Hi Willem,

 

Thank you for your reply.

 

The oddity is back again unfortunately - i've readjusted it to be an inverse subnet mask.

 

ip access-list extended "TEST"
     10 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log
     20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

Added TEST as an inbound rule on VLAN100

 

vlan 100
   name "SVRS"
   untagged 1
   ip access-group "TEST" in
   ip address 192.168.2.1 255.255.255.0
   dhcp-server

But still able to ping through without it hitting the DENY rule.

CORE# sh statistics aclv4 TEST vlan 100 in

 Hit Counts for ACL TEST

  Total
(       0 )    10 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log
(     262 )    20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

 Just for kicks - I did a DENY host to my single host (source) 192.168.10.11 to (destination) 192.168.2.51

 

It still passed through the ACL.

Firewall routing and policies as below:

Capture1.JPGCapture2.JPGCapture3.JPG

 

 

 

Contributor I

Re: 2930F Access list issues

You are adding the ACL in the wrong direction. 

 

10 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255 log

 

The above statement means that you block traffic from 192.168.10.x to 192.168.2.x. When you add this ACL to a VLAN with subnet 192.168.2.x as a inbound ACL this ACL will never match. A inbound ACL will be processed when traffic is incomming and a outbund when traffic leaves the switch / VLAN.

 

Please at this ACL to VLAN10 as a inbound ACL.

Willem Bargeman
ACCX #822 | ACMP
New Contributor

Re: 2930F Access list issues

Thank you.

 

Your last solution worked!

I was interpreting the ACLs wrongly.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: