Jason Murphy
asked on
Inter VLAN routing - Cisco SG300-28
I'm trying to replicate a client’s parent/child domain in a test environment – I’m assuming (I don’t know for sure their exact setup) that they will have enterprise level networking setup, so potentially layer 2 workgroup switches with routers doing layer 3 as well as firewall device(s) doing access control
In our test environment we have two DC’s set up and client PC’s – one DC for the parent domain and one for the child domain and it’s the default two way transitive trust between the parent/child - I'm using a Cisco SG300-28 port switch to connect the DC's and clients
I have each DC on a trunk port on the SG300-28 – which is running in layer 3 mode – and two VLAN’s – 10 and 20 – with their respective subnets in DHCP scope, one per DC – the DC’s both have access to VLAN 10 and 20 via their trunk ports - the clients in each domain are on access ports within their specific VLAN – parent on VLAN 10 10.10.10.0/24 and child on VLAN 20 10.10.11.0/24
I’ve tried creating an ACL which would permit clients on the child domain to connect to a license server on the parent domain which I thought was working as the application can connect and obtain a license, however as test I removed the ACL from the interface it was applied to and the client was still able to get a license – as a further test we created rules for the specific ports on the windows firewall on the two DC’s as well as the license server, then disabled these – however the application can still get a license
Any ideas why this would work regardless of the ACL and firewall rules being applied? I wonder if it is due to the trunking, however I don’t see another way of having the VLAN’s routing?
In our test environment we have two DC’s set up and client PC’s – one DC for the parent domain and one for the child domain and it’s the default two way transitive trust between the parent/child - I'm using a Cisco SG300-28 port switch to connect the DC's and clients
I have each DC on a trunk port on the SG300-28 – which is running in layer 3 mode – and two VLAN’s – 10 and 20 – with their respective subnets in DHCP scope, one per DC – the DC’s both have access to VLAN 10 and 20 via their trunk ports - the clients in each domain are on access ports within their specific VLAN – parent on VLAN 10 10.10.10.0/24 and child on VLAN 20 10.10.11.0/24
I’ve tried creating an ACL which would permit clients on the child domain to connect to a license server on the parent domain which I thought was working as the application can connect and obtain a license, however as test I removed the ACL from the interface it was applied to and the client was still able to get a license – as a further test we created rules for the specific ports on the windows firewall on the two DC’s as well as the license server, then disabled these – however the application can still get a license
Any ideas why this would work regardless of the ACL and firewall rules being applied? I wonder if it is due to the trunking, however I don’t see another way of having the VLAN’s routing?
If you are trying to filter between the VLANs you will need to create VACLs at the SVI.
Run a traceroute from the PC to the license server and post. If the license server is reachable as next hop with no intermediary hops, then you aren't going to hit an ACL as all traffic will remain at layer 2 an transit the local broadcast. If there is an intermediary hop, this is where you will want to place the ACL and the points that Predrag points out above come into full force.
Run a traceroute from the PC to the license server and post. If the license server is reachable as next hop with no intermediary hops, then you aren't going to hit an ACL as all traffic will remain at layer 2 an transit the local broadcast. If there is an intermediary hop, this is where you will want to place the ACL and the points that Predrag points out above come into full force.
ASKER
Thanks for suggestions
There is no other device between the client PCs, DCs and switch - no routing or external routing, so don't think SVI's will come into it
I'll try and tracert to the license server and port though
Will advise
Thank you
There is no other device between the client PCs, DCs and switch - no routing or external routing, so don't think SVI's will come into it
I'll try and tracert to the license server and port though
Will advise
Thank you
Where are you routing between the two VLANs? If not on an SVI then is it a router? Firewall? Can you share a diagram of the network?
ASKER
Hi
Its inter-VLAN routing between two VLAN's on one SG-300 28 port switch in layer 3 mode
Essentially, ports 1-12 are VLAN 10 (access ports) ports 13-24 are VLAN 20 (access ports)
I have the Parent domain DC in port 1 and the child domain DC in port 13
The clients are on the remaining ports within their respective domain/VLANs
I'm trying to stop a parent domain user logged onto a parent domain client PC obtaining a license from a dongle in a child domain client PC which is using port 339 - I'm going to remove the other port requirements for the time being and may even create separate ACL's for those
I've tried applying the ACL to the VLAN and to the range of interfaces and neither seems to work, the parent domain user on a parent domain PC can still get a license from the child domain license dongle PC
This is all a non production test environment - no external access or routing
Hope that helps
Thanks
Jason
Its inter-VLAN routing between two VLAN's on one SG-300 28 port switch in layer 3 mode
Essentially, ports 1-12 are VLAN 10 (access ports) ports 13-24 are VLAN 20 (access ports)
I have the Parent domain DC in port 1 and the child domain DC in port 13
The clients are on the remaining ports within their respective domain/VLANs
I'm trying to stop a parent domain user logged onto a parent domain client PC obtaining a license from a dongle in a child domain client PC which is using port 339 - I'm going to remove the other port requirements for the time being and may even create separate ACL's for those
I've tried applying the ACL to the VLAN and to the range of interfaces and neither seems to work, the parent domain user on a parent domain PC can still get a license from the child domain license dongle PC
This is all a non production test environment - no external access or routing
Hope that helps
Thanks
Jason
Okay, if you have two different VLANs, there has to be a router somewhere in the mix. Whether that is an actual router, a firewall or SVIs with local routing on the switch, it still has to exist somewhere. That is where you will to apply your ACLs.
Let me ask it like this. On the switch, what is the default-gateway? On VLAN 10, what is the default gateway for the host IP configuration? On VLAN 20, what is the default gateway for the host IP configuration?
Let me ask it like this. On the switch, what is the default-gateway? On VLAN 10, what is the default gateway for the host IP configuration? On VLAN 20, what is the default gateway for the host IP configuration?
ASKER
Hi
interface VLAN 10 is 10.10.10.254
interface VLAN 20 is 10.10.11.254
management VLAN 1 is the switch address 192.168.1.254
clients in each domain have their d/g as the same - vlan 10 clients are 10.10.10.254 vlan 20 clients are 10.10.11.254
no router is in the setup nor any SVI's
Hope that helps
Jason
interface VLAN 10 is 10.10.10.254
interface VLAN 20 is 10.10.11.254
management VLAN 1 is the switch address 192.168.1.254
clients in each domain have their d/g as the same - vlan 10 clients are 10.10.10.254 vlan 20 clients are 10.10.11.254
no router is in the setup nor any SVI's
Hope that helps
Jason
So just the switch then? If so, please post the config and output from show cdp ne.
If there is no routing anywhere, hosts from different VLANs can't "talk to each other"
Somewhere traffic must be routed from one VLAN to another VLAN for hosts to be able to talk (Typically - L3 switch, router or firewall). Check on which device is located default gateway, that's the point where packets are starting to be routed (leave current VLAN).
Somewhere traffic must be routed from one VLAN to another VLAN for hosts to be able to talk (Typically - L3 switch, router or firewall). Check on which device is located default gateway, that's the point where packets are starting to be routed (leave current VLAN).
ASKER
Hi
Ignore the permit test license dongle and ICMP ACL's, they are not currently applied
TEST#sh run
config-file-header
TEST
v1.4.2.4 / R800_NIK_1_4_194_194
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e443003371
!
vlan database
vlan 10,20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
ip access-list extended Permit_Test_License_Dongle
permit tcp 10.10.11.0 0.0.0.255 any 10.10.10.7 0.0.0.0 4720-4721 ace-priority 20
permit udp 10.10.11.0 0.0.0.255 any 10.10.10.7 0.0.0.0 4720-4721 ace-priority 40
permit ip any any ace-priority 60
exit
ip access-list extended ICMP
permit icmp any any any any ace-priority 10
exit
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60
permit ip any any ace-priority 80
exit
hostname TEST
management access-list admin
permit
exit
username admin password encrypted **************************
username cisco password encrypted **************************
username administrator password encrypted **************************
ip ssh server
ip telnet server
!
interface vlan 1
ip address 192.168.1.254 255.255.255.0
no ip address dhcp
!
interface vlan 10
name PARENT_TEST
ip address 10.10.10.254 255.255.255.0
service-acl input DENY_FILE_AND_LDAP
!
interface vlan 20
name CHILD.PARENT_TEST
ip address 10.10.11.254 255.255.255.0
!
interface gigabitethernet1
switchport mode access
switchport access vlan 10
!
interface gigabitethernet2
switchport mode access
switchport access vlan 10
!
interface gigabitethernet3
switchport mode access
switchport access vlan 10
!
interface gigabitethernet4
switchport mode access
switchport access vlan 10
!
interface gigabitethernet5
switchport mode access
switchport access vlan 10
!
interface gigabitethernet6
switchport mode access
switchport access vlan 10
!
interface gigabitethernet7
switchport mode access
switchport access vlan 10
!
interface gigabitethernet8
switchport mode access
switchport access vlan 10
!
interface gigabitethernet9
switchport mode access
switchport access vlan 10
!
interface gigabitethernet10
switchport mode access
switchport access vlan 10
!
interface gigabitethernet11
switchport mode access
switchport access vlan 10
!
interface gigabitethernet12
switchport mode access
switchport access vlan 10
!
interface gigabitethernet13
switchport mode access
switchport access vlan 20
!
interface gigabitethernet14
switchport mode access
switchport access vlan 20
!
interface gigabitethernet15
switchport mode access
switchport access vlan 20
!
interface gigabitethernet16
switchport mode access
switchport access vlan 20
!
interface gigabitethernet17
switchport mode access
switchport access vlan 20
!
interface gigabitethernet18
switchport mode access
switchport access vlan 20
!
interface gigabitethernet19
switchport mode access
switchport access vlan 20
!
interface gigabitethernet20
switchport mode access
switchport access vlan 20
!
interface gigabitethernet21
switchport mode access
switchport access vlan 20
!
interface gigabitethernet22
switchport mode access
switchport access vlan 20
!
interface gigabitethernet23
switchport mode access
switchport access vlan 20
!
interface gigabitethernet24
switchport mode access
switchport access vlan 20
!
interface gigabitethernet28
description Management
switchport trunk allowed vlan add 10,20
!
exit
TEST#
Ignore the permit test license dongle and ICMP ACL's, they are not currently applied
TEST#sh run
config-file-header
TEST
v1.4.2.4 / R800_NIK_1_4_194_194
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e443003371
!
vlan database
vlan 10,20
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
ip access-list extended Permit_Test_License_Dongle
permit tcp 10.10.11.0 0.0.0.255 any 10.10.10.7 0.0.0.0 4720-4721 ace-priority 20
permit udp 10.10.11.0 0.0.0.255 any 10.10.10.7 0.0.0.0 4720-4721 ace-priority 40
permit ip any any ace-priority 60
exit
ip access-list extended ICMP
permit icmp any any any any ace-priority 10
exit
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60
permit ip any any ace-priority 80
exit
hostname TEST
management access-list admin
permit
exit
username admin password encrypted **************************
username cisco password encrypted **************************
username administrator password encrypted **************************
ip ssh server
ip telnet server
!
interface vlan 1
ip address 192.168.1.254 255.255.255.0
no ip address dhcp
!
interface vlan 10
name PARENT_TEST
ip address 10.10.10.254 255.255.255.0
service-acl input DENY_FILE_AND_LDAP
!
interface vlan 20
name CHILD.PARENT_TEST
ip address 10.10.11.254 255.255.255.0
!
interface gigabitethernet1
switchport mode access
switchport access vlan 10
!
interface gigabitethernet2
switchport mode access
switchport access vlan 10
!
interface gigabitethernet3
switchport mode access
switchport access vlan 10
!
interface gigabitethernet4
switchport mode access
switchport access vlan 10
!
interface gigabitethernet5
switchport mode access
switchport access vlan 10
!
interface gigabitethernet6
switchport mode access
switchport access vlan 10
!
interface gigabitethernet7
switchport mode access
switchport access vlan 10
!
interface gigabitethernet8
switchport mode access
switchport access vlan 10
!
interface gigabitethernet9
switchport mode access
switchport access vlan 10
!
interface gigabitethernet10
switchport mode access
switchport access vlan 10
!
interface gigabitethernet11
switchport mode access
switchport access vlan 10
!
interface gigabitethernet12
switchport mode access
switchport access vlan 10
!
interface gigabitethernet13
switchport mode access
switchport access vlan 20
!
interface gigabitethernet14
switchport mode access
switchport access vlan 20
!
interface gigabitethernet15
switchport mode access
switchport access vlan 20
!
interface gigabitethernet16
switchport mode access
switchport access vlan 20
!
interface gigabitethernet17
switchport mode access
switchport access vlan 20
!
interface gigabitethernet18
switchport mode access
switchport access vlan 20
!
interface gigabitethernet19
switchport mode access
switchport access vlan 20
!
interface gigabitethernet20
switchport mode access
switchport access vlan 20
!
interface gigabitethernet21
switchport mode access
switchport access vlan 20
!
interface gigabitethernet22
switchport mode access
switchport access vlan 20
!
interface gigabitethernet23
switchport mode access
switchport access vlan 20
!
interface gigabitethernet24
switchport mode access
switchport access vlan 20
!
interface gigabitethernet28
description Management
switchport trunk allowed vlan add 10,20
!
exit
TEST#
Access-list is blocking traffic:
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60
!
interface vlan 10
name PARENT_TEST
ip address 10.10.10.254 255.255.255.0
service-acl input DENY_FILE_AND_LDAPASKER
Hi
All clients on each VLAN can ping each other by IP and hostname
On each DC is DNS and DHCP scope for respective subnet for VLAN
I thought that permit ip any any ace-priority 80 at the end of my ACL overcame implicit deny?
Thanks
Jason
All clients on each VLAN can ping each other by IP and hostname
On each DC is DNS and DHCP scope for respective subnet for VLAN
I thought that permit ip any any ace-priority 80 at the end of my ACL overcame implicit deny?
Thanks
Jason
Okay. This command:
Enables routing on the switch.
These commands:
Build the SVI's associated to the VLANs referenced on each.
These SVI's are where you are going to have to build your VACLs. If I am understanding what you are trying to do and everything above, the following is the ACL you are attempting to apply:
If so, change directionality of the ACL and retest:
from:
to
set system mode routerEnables routing on the switch.
These commands:
interface vlan 1
ip address 192.168.1.254 255.255.255.0
no ip address dhcp
!
interface vlan 10
name PARENT_TEST
ip address 10.10.10.254 255.255.255.0
service-acl input DENY_FILE_AND_LDAP
!
interface vlan 20
name CHILD.PARENT_TEST
ip address 10.10.11.254 255.255.255.0Build the SVI's associated to the VLANs referenced on each.
These SVI's are where you are going to have to build your VACLs. If I am understanding what you are trying to do and everything above, the following is the ACL you are attempting to apply:
interface vlan 10
name PARENT_TEST
ip address 10.10.10.254 255.255.255.0
service-acl input DENY_FILE_AND_LDAPIf so, change directionality of the ACL and retest:
from:
service-acl input DENY_FILE_AND_LDAPto
service-acl output DENY_FILE_AND_LDAP
Sorry, I overlooked permit any any - my bad :)
so traffic only to specific ports is denied
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60
permit ip any any ace-priority 80
so traffic only to specific ports is denied
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 139 ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 389 ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 any 10.10.10.0 0.0.0.255 445 ace-priority 60
permit ip any any ace-priority 80
input direction when ACL is applied to vlan SVI means --> traffic from VLAN goes into routing unit.... So generally that ACL should never deny any traffic.
since in your case input from VLAN 10 into router source IP addresses will be 10.10.10.0/24
So, changing direction suggested by atlas_shuddered could work, or you could rewrite ACl and keep the same direction.
since in your case input from VLAN 10 into router source IP addresses will be 10.10.10.0/24
So, changing direction suggested by atlas_shuddered could work, or you could rewrite ACl and keep the same direction.
ASKER
Hi
OK guys thanks I'll try output instead of input
I thought though that the SG series switches only did ACL ingress
Thanks
Jason
OK guys thanks I'll try output instead of input
I thought though that the SG series switches only did ACL ingress
Thanks
Jason
Jason -
If the directionality change won't input then go with Predrag's suggestion and move the ACL to the other VLAN. You'll need to swap the ACE IP values but that should be all. Additionally, it will keep the undesirable traffic from ever hitting the routing plane and eating resources just to be dropped on the outbound side.
If the directionality change won't input then go with Predrag's suggestion and move the ACL to the other VLAN. You'll need to swap the ACE IP values but that should be all. Additionally, it will keep the undesirable traffic from ever hitting the routing plane and eating resources just to be dropped on the outbound side.
ASKER
Hi
Yes I just tried changing to service-acl output but input is only option I get
So I should try swapping my source vlan and destination vlan around in the acl config and applying on the other vlan?
Jason
Yes I just tried changing to service-acl output but input is only option I get
So I should try swapping my source vlan and destination vlan around in the acl config and applying on the other vlan?
Jason
Sorry I am too hasty and too tired.
Try to apply ACL as it is to different VLAN, it should work OK.
It may require port modification in ACL
Try to apply ACL as it is to different VLAN, it should work OK.
It may require port modification in ACL
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks I will try this and test and provide outcome
Jason
Jason
ASKER
unresolved
still not working - ACL applied to VLAN 10 as per last comment :/
interface vlan 10
name PARENT_TEST
ip address 10.10.10.254 255.255.255.0
service-acl input DENY_FILE_AND_LDAP
!
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.10.0 0.0.0.255 139 10.10.11.0 0.0.0.255 any ace-priority 20
deny tcp 10.10.10.0 0.0.0.255 389 10.10.11.0 0.0.0.255 any ace-priority 40
deny tcp 10.10.10.0 0.0.0.255 445 10.10.11.0 0.0.0.255 any ace-priority 60
permit ip any any ace-priority 80
still not working - ACL applied to VLAN 10 as per last comment :/
interface vlan 10
name PARENT_TEST
ip address 10.10.10.254 255.255.255.0
service-acl input DENY_FILE_AND_LDAP
!
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.10.0 0.0.0.255 139 10.10.11.0 0.0.0.255 any ace-priority 20
deny tcp 10.10.10.0 0.0.0.255 389 10.10.11.0 0.0.0.255 any ace-priority 40
deny tcp 10.10.10.0 0.0.0.255 445 10.10.11.0 0.0.0.255 any ace-priority 60
permit ip any any ace-priority 80
Not solved. And since Author responses are slow... good luck...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi
Yes its been applied to both VLANS and I believe in both directions
I take it you mean swap the source and destinations in the ACL over?
Jason
Yes its been applied to both VLANS and I believe in both directions
I take it you mean swap the source and destinations in the ACL over?
Jason
yes
ASKER
Hi
I will try and add the ACL to the interfaces rather than the SVI and see how that goes
Thanks
Jason
I will try and add the ACL to the interfaces rather than the SVI and see how that goes
Thanks
Jason
ASKER
Hi everyone
I've managed to get this working finally - I've been waiting for the engineer assigned to the project to come back so we could test the behavior our client is seeing with the applications getting licences between the parent and child domains
I swapped the source and destination subnets around and applied the ACL to the interface range of VLAN 20, rather than the SVI
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.11.0 0.0.0.255 139 10.10.10.0 0.0.0.255 any ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 389 10.10.10.0 0.0.0.255 any ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 445 10.10.10.0 0.0.0.255 any ace-priority 60
permit ip any any ace-priority 80
Many thanks for everybody's contributions and apologies this question has been updated so infrequently!
Jason
I've managed to get this working finally - I've been waiting for the engineer assigned to the project to come back so we could test the behavior our client is seeing with the applications getting licences between the parent and child domains
I swapped the source and destination subnets around and applied the ACL to the interface range of VLAN 20, rather than the SVI
ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.11.0 0.0.0.255 139 10.10.10.0 0.0.0.255 any ace-priority 20
deny tcp 10.10.11.0 0.0.0.255 389 10.10.10.0 0.0.0.255 any ace-priority 40
deny tcp 10.10.11.0 0.0.0.255 445 10.10.10.0 0.0.0.255 any ace-priority 60
permit ip any any ace-priority 80
Many thanks for everybody's contributions and apologies this question has been updated so infrequently!
Jason
interface range vlan 20 = interface vlan 20
So, solution was provided long time ago, as it can be seen from above posts.
So, solution was provided long time ago, as it can be seen from above posts.
ASKER
Hi
No I mean I applied to the physical interfaces rather then the SVI
ip interface range gigabitethernet 13-24
service-acl input DENY_FILE_AND_LDAP
Cheers
No I mean I applied to the physical interfaces rather then the SVI
ip interface range gigabitethernet 13-24
service-acl input DENY_FILE_AND_LDAP
Cheers
OK, that is a different approach which is not recommended.
You are actually wasting system resources. Devices typically do not have big TCAMs. It would be recommendable to configure it just on SVI.
Also, all traffic is inspected (even traffic between hosts in the same VLAN), CPU utilization could skyrocket.
If ACL applied to physical ports works correctly, it should work correctly when applied to SVI for the same VLAN.
You are actually wasting system resources. Devices typically do not have big TCAMs. It would be recommendable to configure it just on SVI.
Also, all traffic is inspected (even traffic between hosts in the same VLAN), CPU utilization could skyrocket.
If ACL applied to physical ports works correctly, it should work correctly when applied to SVI for the same VLAN.
ASKER
Hi
It doesn't work when applied to the SVI - these SG switches don't run the full blown IOS
It's in a test environment - we're just trying to replicate a behaviour a client is seeing between domain/sub-domain trying to get application licences and database copies - not too concerned about CPU
Cheers
It doesn't work when applied to the SVI - these SG switches don't run the full blown IOS
It's in a test environment - we're just trying to replicate a behaviour a client is seeing between domain/sub-domain trying to get application licences and database copies - not too concerned about CPU
Cheers
In that case, that's it.
:)
:)
ASKER
Perfect, thanks for your input - every day is a school day :)
ASKER
as per my comments this SG switch IOS version doesn't seem to like the ACL applied to the SVI - the solution was to apply the amended ACL (source and destination subnets reversed) to the VLAN 20 interfaces rather than the VLAN 10 interfaces
Sure...
CLI manual - page 842 states that it can be applied to VLAN.
CLI manual - page 842 states that it can be applied to VLAN.
Command Mode...but you tested it and it is not working. It is good to know that detail (not to waste time in vain). Maybe applying to VLAN does not mean to SVi, but to VLAN itself (VLAN access-list), so maybe I misunderstood sentence (it would not be the first time ;))
Interface Configuration (Ethernet, Port-Channel,VLAN) mode
ASKER
No problem, I maybe misunderstood too :)
Thanks for feedback.
;)
;)
1. more often -> ACL is applied in wrong direction (IN instead of OUT)
2. less often -> ACL is applied to wrong interface
3. rarest -> both 1. and 2.
If above suggestions did not resolve issue, can you, please, paste ACLs and configuration of interfaces where ACLs are applied (and provide IP address of servers).