Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

VLAN and ACL connectivity problem

SOLVED
Go to solution
Martink_1
Occasional Visitor

VLAN and ACL connectivity problem

Hi

I have been wrestling for a while with an issue regarding routing, vlans and acls.

Im currently using a 5300-series switch for testing but the real switch is a 5400-series switch (if they behave differently).

My problem:
Im setting up several user-, server- and administration vlann, but I can simplify the question in the following way:
One user vlan and on administration vlan. I would like to setup the traffic so that the user vlan doesnt get any kind of connection to the administration vlan (a ping would resove in "Request timed out") but the administration vlan should get full access to the user vlan (ping, rcp etc).

I have been using the following acl (se below) and im not quite happy with the result I get. My user vlan cant access the administration vlan (as it should be). But the problem is that the administration vlan can reach the user vlan but the response on the ping isnt satisfying, I get a "Destination net unreachable" reply (se below for the exact syntax).

So the question is, am I doing something wrong or is this kind of behavior not possible with the use of acls?

----------------------------------------------
Ping reply - Administration host to User host
----------------------------------------------
C:\>ping 172.18.24.5

Pinging 172.18.24.5 with 32 bytes of data:

Reply from 172.18.32.1: Destination net unreachable.
Reply from 172.18.32.1: Destination net unreachable.
Reply from 172.18.32.1: Destination net unreachable.
Reply from 172.18.32.1: Destination net unreachable.

Ping statistics for 172.18.24.5:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

----------------------------------------------
5300 - Current configuration
----------------------------------------------
; J4850A Configuration Editor; Created on release #E.11.03

hostname "Routing 5300"
max-vlans 64
time timezone 60
time daylight-time-rule Western-Europe
no telnet-server
ip access-list extended "100"
deny udp 172.18.24.0 0.0.0.252 172.18.32.0 0.0.0.254
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
module 1 type J4907A
module 2 type J4907A
ip default-gateway 172.18.2.1
sntp server 172.18.1.230
ip routing
no ip source-route
ip udp-bcast-forward
timesync sntp
sntp unicast
snmp-server host 172.18.2.24 "public"
vlan 1
name "DEFAULT_VLAN"
untagged A2-A7,A9-A16,B1-B16
ip address 172.18.2.2 255.255.248.0
no untagged A1,A8
exit
vlan 117
name "User_vlan"
untagged A8
ip address 172.18.24.1 255.255.252.0
ip helper-address 172.18.2.55
ip helper-address 172.18.2.56
ip helper-address 172.18.2.73
ip access-group "100" out
exit
vlan 11
name "Administration_vlan"
untagged A1
ip address 172.18.32.1 255.255.254.0
exit
ip route 0.0.0.0 0.0.0.0 172.18.2.1
router rip
exit
vlan 1
ip rip
exit


4 REPLIES
cenk sasmaztin
Honored Contributor

Re: VLAN and ACL connectivity problem

hi Marting

imposible successfully ping because
you can write
(deny udp 172.18.24.0 0.0.0.252 172.18.32.0 0.0.0.254
permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255) acl command on switch and assing vlan 117 on rule

ping command send ping packet to destination device and sender wait response ping echo packet from destination device

172.18.24.5*send ping--packet-to*172.18.32.1

ok... but

172.18.32.1*responsepingpacketto 172.18.24.5

imposible because knock acl this response packet





cenk
cenk

Martink_1
Occasional Visitor

Re: VLAN and ACL connectivity problem

Hello and thanks for showing interest in my case.

I was wondering about what you describe since im aware that the packet should be stopped (no traffic allow into the administration vlan). But I thought that perhaps since the connection was initiated from the administrator vlan the switch would let the connection flow between the hosts. I am aware that firewalls have those kinds of connections possible.

Have I come across a dead end or is it possible to configure the acl in some other way?
Matt Hobbs
Honored Contributor
Solution

Re: VLAN and ACL connectivity problem

The 5400 supports the 'established' keyword in ACLs which will allow TCP based traffic to be initiated from one direction but not the other. Although it won't work for ICMP, it should hopefully be sufficient for your needs.
Martink_1
Occasional Visitor

Re: VLAN and ACL connectivity problem

Thanks for the help.

I will continue to test this feature and hopefully established tcp traffic will be enough but to be honest im not quite sure.