ACL's and VLan interfaces

I am trying to understand the boundries of a Vlan on a given switch. When a packet that is passed from Vlan int 1 to Vlan int 2 on the same switch if Vlan 2 has an inbound ACL denying this packet would it get acted upon in this manner or does the ACL only get introduced if the packet enters a physical interface.

A packet coming into a device from one interface and going out another interface does not pass two 'inbound' ACLs. It can pass two ACLs but one will be inbound and one will be outbound.
The situation is no different when you are using logical interfaces like SVI (L3 VLAN interfaces). In your case if you have an ACL defined inbound on VLAN 1 in the distribution switch then the packets coming into VLAN1 will be subject to inspection against the rules of this ACL. However, if there is no outbound ACL for VLAN 2 then packets leaving the distribution switch and going out of VLAN 2 to switch 2 will not be subject to any ACLs.
The concept of inbound and outbound is the same in case of both physical interfaces or logical interfaces.

Similar Messages

  • EIGRP IPv6 and VLAN interfaces

    We've found that we have to set static link local IPs when two routers might peer over multiple VLAN interfaces.
    The issue is that the routers, 6500s with sup720s, utilize the same autoconfig'd link local address on each VLAN interface.   EIGRP IPv6 refuses to peer with the other router on multple VLANs when the link local are the same.
    Anyone else encounter this?   Did we miss a config option that would force unique link locals on different VLANs interfaces?
    Because of this issue, we've made it our best practice to configure static link local for all inter-router transits.

    HI Gary,
    I had a setup with SU720 on 2 7600s and I am able to enable the neighborship without any issues. I didnt configure static link local as below,
    Ryanair#show ipv6 int vlan 500  | inc FE
      IPv6 is enabled, link-local address is FE80::21C:B0FF:FEB5:6D00
    Ryanair#sho ipv6 int vlan 501 | inc FE
      IPv6 is enabled, link-local address is FE80::21C:B0FF:FEB5:6D00
    Ryanair#show ipv6 eigrp nei
    EIGRP-IPv6 neighbors for process 100
    H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                                (sec)         (ms)       Cnt Num
    1   Link-local address:     Vl501             11 00:15:51  816  4896  0  13
        FE80::222:55FF:FE17:25C0
    0   Link-local address:     Vl500             11 00:17:14    1   200  0  12
        FE80::222:55FF:FE17:25C0
    Ryanair#
    Can you let us know the version on oth the devices?.
    Regards,
    Nagendra

  • ACL applied to Vlan interfaces

    I have been working with access lists for a while now and i think i have a good knowledge about them. But the thing i'm still confused with is when you apply ACL "in" and "out" to a SVI or lvna virtual interface.
    It seems like in these type of interfaces the directions change completely compared to the normal interfaces (ethernet, serial... etc.) The logic is different and sometimes i find myself in problems when i have to do some troubleshooting in my work.
    I've tryied to found some information or manuals on Cisco about this specific issue but unfortunely, i couldn't find anything clear.
    Is there some method to quickly know when these ACL should be applied in one direction or another?
    Thanks for your time.

    It's no different on a SVI , "in" means coming in from the network (user ports) . "Out" means out towards the clients network.

  • ACL on Vlan interface

    I am trying to apply an acl on my vlan interfaces that would allow the vlan to initiate tcp traffic. When I apply it I am unable to surf the web from the vlan but I can tftp from the vlan .

    This is normal behavior. The first packet coming from the station on the VLAN would not be considered as established.
    On the other hand, the established keyword could be configured on an outbound ACL applied to the same VLAN. This would only allow TCP traffic initiated from the VLAN to reenter that same VLAN.
    Hope this helps,

  • The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

    Hello
    I think the following topologies are supported for Cisco Routers
    And the Physical interface also can be using as Native VLAN interface right? 
    Topology 1.
     R1 Gi0.1 ------ IEEE802.1Q Tunneling  L2SW ------ Gi0 R2
    R1 - configuration
    interface GigabitEthernet0.1
     encapsulation dot1Q 1 native
     ip address 10.0.0.1 255.255.255.0
    Topology 2.
    R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
    interface GigabitEthernet0
    ip address 10.0.0.1 255.255.255.0
     And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
    R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3 
          Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4  (same VLAN-ID) 
    R1 - configuration
    interface GigabitEthernet0
     ip address 10.0.0.1 255.255.255.0
    interface GigabitEthernet8.20
     encapsulation dot1Q 20
     ip address 20.0.0.1 255.255.255.0
    Any information is very appreciated. but if there is any CCO document please let me know.
    Thank you very much and regards,
    Masanobu Hiyoshi

    Hello,
    The diagram is helpful.
    If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
    Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
    Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
    Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
    My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
    Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
    I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
    Best regards,
    Peter

  • Any advantages to setting the AP-Manager and Management interface to an untagged vlan?

    Any advantages to setting the AP-Manager and Management interface to an untagged vlan? Currently, our controllers have their management and ap-manager interfaces on the same untagged vlan. Would it be wise to change this? Are there any gotchyas I should be aware of?

    No really, there won't be a problem. Management an AP-manager can be on different vlans.
    The vlan you chose to untag is the vlan you should declare as native on the switch, that's it.
    No advantage in having interfaces configured in a way or another.
    Some people want the management to be in a "management" subnet and the ap-manager will be in the subnet with all the APs. Some others have several AP subnets so the ap-manager is in the same as management ... no importance whatsoever as long as the config is coherent.
    The only thing that is worth considering is the size of AP subnet to me. If you give a /16 for APs and have 1000 APs in a single subnet, ARP and broadcast storms will be hitting the fan. But the vlan tag/untags that you chose are not important
    To rate an answer, click on the stars below it. 1 for not so useful and 5 for very useful.
    Nicolas
    ===
    Don't forget to rate answers that you find useful.

  • Cisco SG 300-10 VLAN and IP Interface Question

    Hello,
        Please forgive me if you find my question too basic. But, I would really appreciate an answer as I am having a heck of a time getting the VLANs to work. I have several VLANs configured as follows, but, my question is related only two VLANS: VLAN 104 and VLAN 2000. Followings are the screenshots.  I have connected cable from Port 6 of the switch to the NIC2 of Windows 8.1 PC. When I use GE6 as access port for VLAN 104, I am able to ping to the NIC2 configured with static IP 10.10.30.30. However, when use GE as Trunk Port for VLAN 104 and 2000, I am not able to ping the NIC2 configured with static IP 10.10.30.30 or static IP 10.10.110.30. I am using the ping utility from the GUI. 
       If there is a better way to test the trunk port, please let me know.
        At this point, I am assuming that something is wrong with my configuration as the NIC2 is unable to receive IP address.
         The other assumption is that NICs with Windows 8.1 OS does not accept Traffic from Tagged VLANS. 
    VLAN TableShowing 1-11 of 1110203050per page
    VLAN ID
    VLAN Name
    Originators
    VLAN Interface State
    Link Status 
    SNMP Traps
    1
    Default
    Enabled
    Enabled
    100
    Management A
    Static
    Disabled
    Enabled
    101
    Management B
    Static
    Disabled
    Enabled
    102
    VXLAN A
    Static
    Disabled
    Enabled
    103
    VXLAN B
    Static
    Disabled
    Enabled
    104
    vMotion
    Static
    Enabled
    Enabled
    105
    IP Storage
    Static
    Disabled
    Enabled
    106
    HQ Uplink
    Static
    Disabled
    Enabled
    107
    HQ Access
    Static
    Disabled
    Enabled
    1000
    Test VLAN
    Static
    Disabled
    Enabled
    2000
    Test2 VLAN
    Static
    Enabled
    Enabled
    Port VLAN Membership Table
    Filter:
    Interface Type
    equals to
    PortLAG
    Go
    Interface
    Mode
    Administrative VLANs
    Operational VLANs
    LAG
    GE1
    Trunk
    1UP
    1UP
    GE2
    Trunk
    1UP
    1UP
    GE3
    Trunk
    1UP
    1UP
    GE4
    Trunk
    1UP
    1UP
    GE5
    Trunk
    1UP
    1UP
    GE6
    Trunk
    1UP, 104T, 2000T
    1UP, 104T, 2000T
    GE7
    Trunk
    1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
    1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
    GE8
    Trunk
    1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
    1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
    GE9
    Trunk
    1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
    1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
    GE10
    Trunk
    1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
    1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
    IPv4 Interface TableShowing 1-11 of 1110203050per page
    Interface
    IP Address Type
    IP Address
    Mask
    Status
    VLAN 105
    Static
    10.10.20.1
    255.255.255.0
    Valid
    VLAN 104
    Static
    10.10.30.1
    255.255.255.0
    Valid
    VLAN 2000
    Static
    10.10.110.1
    255.255.255.0
    Valid
    VLAN 1
    Static
    192.168.0.39
    255.255.255.0
    Valid
    VLAN 1000
    Static
    192.168.1.1
    255.255.255.0
    Valid
    VLAN 106
    Static
    192.168.100.1
    255.255.255.0
    Valid
    VLAN 100
    Static
    192.168.110.1
    255.255.255.0
    Valid
    VLAN 107
    Static
    192.168.130.1
    255.255.255.0
    Valid
    VLAN 102
    Static
    192.168.150.1
    255.255.255.0
    Valid
    VLAN 101
    Static
    192.168.210.1
    255.255.255.0
    Valid
    VLAN 103
    Static
    192.168.250.1
    255.255.255.0
    Valid
    Ping
    Host Definition:
    By IP address
    By name
    IP Version:
    Version 6
    Version 4
    <tr id="trSourceIP" display:none"="">
    Source IP:
    Auto10.10.20.1(VLAN105)10.10.30.1(VLAN104)10.10.110.1(VLAN2000)192.168.0.39(VLAN1)192.168.1.1(VLAN1000)192.168.100.1(VLAN106)192.168.110.1(VLAN100)192.168.130.1(VLAN107)192.168.150.1(VLAN102)192.168.210.1(VLAN101)192.168.250.1(VLAN103)Autofe80::5267:aeff:fe3d:83b3(VLAN1)Auto10.10.20.1(VLAN105)10.10.30.1(VLAN104)10.10.110.1(VLAN2000)192.168.0.39(VLAN1)192.168.1.1(VLAN1000)192.168.100.1(VLAN106)192.168.110.1(VLAN100)192.168.130.1(VLAN107)192.168.150.1(VLAN102)192.168.210.1(VLAN101)192.168.250.1(VLAN103)fe80::5267:aeff:fe3d:83b3(VLAN1)
    Destination IPv6 Address Type:
    Link Local
    Global
    Link Local Interface:
    VLAN 1
    Destination IP Address/Name:
    Ping Interval:
    Use Default
    User Defined
    ms (Range: 0 - 65535, Default: 2000)
    Number of Pings:
    Use Default
    User Defined
    (Range: 1 - 65535, Default: 4)
    Status:

    Tom and Michal, your response is much appreciated. You are 100% right. The issue was with the Windows recognizing the VLAN tags. I have tested trunking by using the vmxnet3 driver from VMware and it works. 
    I had another question where I can use your help too. I am not sure how to connect two Cisco SG300 switches - one with L3 mode and the second one with L2 mode. I have configured GVRP for Port 5 of both switches and run a cable connecting to Port 5 of each switch. I have made port 5 of both switches trunk mode ( 1U, 1000T). I have created VLAN 1000 on both switches. With L3 switch, I have added IP Interface (192.168.100.1) to VLAN 1000. My issues is that, I am not able to access the management port (192.168.1.238) of the L2 switch. Note that the L2 switch has only on uplink, which is to the L3 switch. Since the Port 5 also receives untagged traffic from VLAN1 (192.168.1.1), I am assuming that it would receive the management network from VLAN1. 

  • Vlan and physical interface of vlan shwing different utilizations

    Puzzled???
    Anyone know why the physical interface of the vlan and the vlan interface show differnt utilizations? For instance the physical interface shows 60% utilization and the vlan interface is double that.
    Thanks in advance
    Mike G.

    as per my knowledge, the Subinterfaces are logical interfaces created on a hardware interface. These software-defined interfaces allow for segregation of traffic into separate logical channels on a single hardware interface as well as allowing for better utilization of the available bandwidth on the physical interface.
    http://www.cisco.com/univercd/cc/td/doc/product/software/iosxr3/int_c3/hc3vlan.htm

  • Doubt with Dynamic Interfaces and VLANs

    Hello.
    I am trying to get wirelles clientes and APs to be on the same VLAN/subnet, now is working with management interface on my WLC 5508. My problem comes up when I change them to a new dynamic interface.
    Before any change:
    VLAN: 8
    Management Interface IP: 192.168.9.2/23
    Gateway: 192.168.8.1
    DHCP Server: 192.168.8.2
    WLAN SSID linked to Managment interface: Ray123
    APs on VLAN 8 and subnet static IP range192.168.9.0/23
    There is no dynamic interface.
    After changes.
    VLAN: 0
    Management Interface: 192.168.6.2/23
    Gateway: 192.168.6.1
    DHCP Server: 192.168.6.2
    Dynamic interface name: Wireless-1
    VLAN: 8
    Management Interface IP: 192.168.9.2/23
    Gateway: 192.168.8.1
    DHCP Server: 192.168.8.2
    WLAN SSID linked to Dynamic interface: Ray123
    APs still on VLAN 8 and subnet static IP range192.168.9.0/23
    After all this done i can see by cdp neighbors all my APs i can ping them and management interface too, but APs are not registered, no clients too.
    According to this guide:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml
    Dynamic interfaces and APs should be on the same VLAN.
    But this another guide states the opposite:
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html
    "Set the APs in a VLAN that is different from the dynamic interface configured on the Controller. If the APs are in the same VLAN as the dynamic interface, the APs are not registered on the Controller and the 'LWAPP discovery rejected' and 'Layer 3 discovery request not received on management VLAN' errors are logged on the Controller"
    I cant understand why VLANs for APs and dynamic interfaces should be on different, it has no sense to configure a vlan intended for APs which shouldnt be on the same vlan.
    Please tell me what is wrong.
    Thanks in advance.

    You have to tell the APs where the WLC lives now, 192.168.6.2.
    You can do this in the following ways:
    Manual Prime the APs
    option 43
    dns
    ip forward udp 5246
    move the aps to the same vlan as the management interface let them join and then chnage the vlan
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Problem with FWSM and L3 interface in same switch

    I have two 6513s with an 802.1q trunk connecting them. Each switch has redundant Sup720s running in Native mode, IOS ver 12.2(18)SXF (they were initially running SXD3). A FWSM (ver 2.3(3), routed mode, single context) is in each switch, setup in failover mode.
    I can not get a PC, in a vlan that has the layer 3 interface defined on the switch with the active FWSM in it, to communicate with devices "behind" the FWSM. If I move the layer 3 configuration for that vlan to the other 6513, everything works fine.
    The MSFCs are on the inside of the firewall, they have a layer 3 interface configured in the same vlan as the FWSM "inside" interface. Several "same security level" interfaces are defined on the FWSM and used to protect server farms. I am using OSPF on the MSFCs and FWSM and the routing table is correct.
    The FWSM builds connections for attempts made by the PC with the layer 3 interface defined on the same switch as the active FWSM just fine, so this is not a FWSM ACL problem.
    A ping of the FWSM "inside" interface from a PC with the layer 3 interface defined on the same switch as the active FWSM fails, even though debug icmp trace on the FWSM shows the request and the response. A packet capture, using the NAM-2, shows only the request packets. I have captured on the common vlan and the FWSM backplane port channel interface.
    Just to add to the confusion, if I capture in the same places, but do the ping from a PC that is in a vlan with the layer 3 interface defined in the 6513 that does not contain the active FWSM, which works fine, I see the request and reply on the common vlan capture, but only the request on the port channel capture.
    This problem has been there from the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I have experienced this with any and all vlans that I tried to define the layer 3 interface for on the switch with the active FWSM. I have MLS turned on.
    If anyone else has experienced this and solved it, or knows what is going on, I would appreciate any insight.
    Thanks.
    Keith

    I will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
    I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
    I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
    Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
    Thanks.

  • Cisco 871W - VLAN-Interface = 'Up/Down'

    Hi,
    I have configured our company's Cisco 871W per suggested configs found on the cisco web site, however, VLAN1, VLAN10 and VLAN20 interfaces won't come up (e.g. up/down) and it's preventing communication. Guess I'm expecting this to behave like a multi-layer swt/rtr (i.e. 3560). Can anyone help me on this?
    Here is the config:
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname xxxxxxxxxxxxx
    boot-start-marker
    boot-end-marker
    enable secret xxx
    enable password xxxxxx
    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    aaa session-id common
    resource policy
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.99
    ip dhcp excluded-address 192.168.2.1 192.168.2.99
    ip dhcp pool VLAN10
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    domain-name xxxxxxxxxxxxxxxx
    lease 4
    ip dhcp pool VLAN20
    import all
    network 192.168.2.0 255.255.255.0
    default-router 192.168.2.1
    domain-name xxxxxxxxxxxx
    lease 4
    no ip domain lookup
    ip domain name xxxxxxxxx
    crypto pki trustpoint TP-self-signed-1485172728
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1485172728
    revocation-check none
    rsakeypair TP-self-signed-1485172728
    crypto pki certificate chain TP-self-signed-1485172728
    certificate self-signed 01
    <--------some output omitted--------->
    interface FastEthernet0
    switchport access vlan 20
    spanning-tree portfast
    interface FastEthernet1
    switchport access vlan 10
    spanning-tree portfast
    interface FastEthernet2
    switchport access vlan 10
    spanning-tree portfast
    interface FastEthernet3
    switchport access vlan 10
    spanning-tree portfast
    interface FastEthernet4
    ip address 10.2.5.1 255.255.0.0
    ip nat outside
    ip virtual-reassembly
    ip tcp adjust-mss 1460
    duplex auto
    speed auto
    no cdp enable
    interface Dot11Radio0
    no ip address
    shutdown
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    interface Vlan1
    no ip address
    interface Vlan10
    description Internal Network
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    interface Vlan20
    description Guest Network
    ip address 192.168.2.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet4
    no ip http server
    no ip http secure-server
    ip nat inside source list 1 interface FastEthernet4 overload
    ip access-list extended Guest-ACL
    deny ip any 192.168.1.0 0.0.0.255
    permit ip any any
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 1 permit 192.168.2.0 0.0.0.255
    <--------------output omitted---------->
    End
    Sample device-specific configs would help.
    We are not concerned with the wireless portion of the config at this point.
    Any insight is appreciated.
    Thanks!
    Chris
    News Corp.

    You may be hitting with a bug : check the details of this bug : CSCsc10989

  • VLAN interface on ME2600X

    I'm trying to configure a VLan interface on my ME2600X (for inband management), but the switch won't accept the command.
    What am I missing? I need a way to combine layer-2 services and a management vlan on the same dot1q trunk into the ME2600X.
    Geir Jensen

    Hello Geir,
    You can use service instances e.g.:
    interface GigabitEthernet0/3
    switchport trunk allowed vlan none
    switchport mode trunk
    dampening
    mtu 9100
    load-interval 30
    media-type rj45
    service instance 5 ethernet
    description Management VLAN
    encapsulation dot1q 5
    rewrite ingress tag pop 1 symmetric
    bridge-domain 5             – this will pop up message:
    Bridge-domain 5 created
    VLAN 5 does not exist, creating vlan
    interface Vlan5
    description Management VLAN
    ip address 10.0.0.1 255.255.255.0
    ip access-group MNGT-ACL in
    end
    adam

  • 3750X - Dropped multicat traffic flooding on all switchport vlan interfaces

    Hello forum, 
    I have a problem on source  multicast blocking. I have a switch with a vlan interface (Ex. vlan 20 )and on that vlan interface an extended ACL is present. That ACL block specific multicast groups. Furtehrmore I have many switchport access interfaces on vlan 20 with different sources connected. 
    If one source start streaming with multicast destination IP blocked  by ACL, dropped traffic is flooaded on all switchports on source's vlan
    IGMP snooping on this vlan is enabled but seems that dropped  traffic stay on L2 vlan without it.
    Device used: C3750X
    IOS:  15.0(2)SE5
    Thank you for help

    Hi Michal,
    thanks for your reply!
    Yes, probably i've captured all lines of access-list... but I've to change my approach because my access-list is a extended "named" access-list and, on other post, I've read that "named" access-list cannot be debugged...
    Now i've deleted all access-lists entries that refer to vlan2 and I've created new one "numerical":
    #ip access-list extended 100
    #10 ip permit 172.16.2.0 0.0.0.15 any log
    In this mode the debug shows only access-list 100 traffic + bcast + mcast.
    But, the strange thing is another one now...
    I've bought a multifunction printer, that send scanned document to a email account, the printer haven't internal smtp, it makes a connection to hp servers that forward scans to real destination address...
    I was curious to find out how this connection works because, my private/confidential documents are send on internet and, i would hope that hp use a secure connection from my printer to its server...
    Well, if I add "log" switch command at the end of access-list, or I enable access-list debug, the printer stop to comunicate to hp services/server... if I turn off debug or rewrite access-list without "log" feature, incredibly the printer re-start to comunicate with hp...
    Have you any idea that explain that? I'm going crazy...

  • ACL's in VLAN Catalyst 3550

    Hello !!
    We have a Switch Catalyst 3550 - 12G
    IOS : Version 12.2(25)SEA
    I need to implement ACL security in VLAN's. But, it did't work.
    VLAN 11 Definition :
    interface Vlan11
    description VLAN - RED WAN
    ip address 192.168.21.1 255.255.255.0
    Interface association (g0/7) with VLAN 11 and extended ACL (ip1)
    interface GigabitEthernet0/7
    switchport access vlan 11
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 11
    switchport mode dynamic desirable
    ip access-group ip1 in
    ACL definition :
    ip access-list extended ip1
    permit ip 192.168.70.0 0.0.0.255 any
    deny ip any any
    This configuration must allow ip communication between 192.168.70.0 / 24 and 192.168.21.0 / 24. However it does't work.
    Inter VLAN communication are ok.
    Any Suggest ?
    .... Switch Conf. attach
    Tks.
    John Nanez E.

    Try putting on the SVI for vlan 11 (interface vlan 11) . don't think you can put it on a individual interface and have it work . Also they way you wrote it you'll have to put it as out on the vlan because you are permitting a address from another network to the vlan 11 address space thus it would have to block the traffic "out" to the devices on vlan 11 .

  • MSFC - cannot ping vlan interface

    Hi,
    We have several vlans defined on the mfsc. On the msfc we could ping all the vlans interface except 1 vlan. The interface is up and just recently we weren't able to ping it. Any help is much appreciated.
    TIA.
    PF

    Hi PF,
    AFAIK, When you are pinging a particular interface stting on the MSFC the source IP would be of any other available interfaces. If you are pinging vlan 110 it will take source ip of any other available vlan interface and the destination is Vlan 110, but ACL defined on the interface doesnot have any ACE for the same so that packets will be dropped.
    Removing the ACL worked as explained above.
    regards,
    -amit singh

Maybe you are looking for

  • Mac mini startup/ shutdown code?

    What causes mac mini to display startup and shutdown code?

  • Unable to modify

    Hi Forum, I couldnt able to modify the database table using the following code. Please help me out. METHOD onactioncopy_selected_rows .   DATA:  wd_node TYPE REF TO if_wd_context_node,          ls_node1 TYPE ig_componentcontroller=>element_node1,    

  • Can't Update QuickTime and iPhoto

    When attempting to download and install the latest version of QuickTime and iPhoto via Software Update, I got the error message, "None of the checked updates could be saved. You do not have appropriate access privileges." I have two User Accounts on

  • Questions about interfaces,monitors,keyboards,cables help please

    I just bought a macbook pro 1.87ghz. w/ 1 gb I would like to record music primararly acoustic stuff (john mayer type stuff) I was wondering what types of interfaces or keyboards, mics, monitors, cables ,should I buy to get the most professional sound

  • How to pass parameter to action methods

    Hi, I have a button.  Enter action method is associated with this.  In the Enter action method, I have added a parameter named param1.  When the button is clicked, this method is called automatically.  But how do I pass parameters to this method, whi