Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Router ACL's

Status
Not open for further replies.

pbxnkey

Programmer
Aug 15, 2006
191
US
I have configured some ACL's on a Cisco router. When I send pings between the endpoints I noticed that sometimes it states Destination Net Unreachable and sometimes Request timed Out.
Why is it not consistent?
 
A lil more detail...

1. From where to where w/description so we can have some sort of diagram
2. sh run of the router in which you built the acls
3. sh run of others possibly involved

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
 
Router Config:
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.0.31.250 255.255.255.0
ip address 192.168.31.1 255.255.255.0 secondary
ip access-group 151 in
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 172.16.31.1 255.255.255.0
ip access-group 152 in

access-list 151 permit ip 10.0.31.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 10.0.0.205
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 10.0.0.136
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 10.0.0.240
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 192.168.31.1
access-list 151 permit ip 10.0.31.0 0.0.0.255 host 10.0.31.1
access-list 151 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 151 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
access-list 151 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 151 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 151 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 151 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 151 permit ip any any

access-list 152 permit ip 172.16.31.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 152 permit ip 172.16.31.0 0.0.0.255 host 172.16.31.1
access-list 152 deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
access-list 152 deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
access-list 152 deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
access-list 152 permit ip any any

When I do my tests I have 2 laptops connected to a layer 2 managed switch. Each laptop is in a separate vlan based on the router config.
So one laptop in the 172.16.31.0 subnet and one in the 10.0.31.0 subnet. When I ping between the 2 subnets the 4 pings packets can be Request timed out or Destination Net Unreachable. It varies with the 4 packets. Sometimes it's 4 packets of Dest Net Unreachable.

Here's a sample:
C:\Windows\system32>ping 10.0.31.50

Pinging 10.0.31.50 with 32 bytes of data:
Request timed out.
Reply from 172.16.31.1: Destination net unreachable.
Request timed out.
Reply from 172.16.31.1: Destination net unreachable.

Ping statistics for 10.0.31.50:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),

Thanks
 
access-list 152 deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255

is blocking that particular ping. If you want the subnets to access eachother...

access-list 151 (ACE number to edit a single line) permit ip 10.0.31.0 0.0.0.255 172.16.31.0 0.0.0.255

and a line for acl 152...permit ip 172.16.31.0 0.0.0.255 10.0.31.0 0.0.0.255

post a sh access-l and I will show you exactly how to edit/add/delete single ACEs from a given ACL



ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
 
I do not want the subnets to access each other that is the purpose of the ACL's.
What I don't understand is why when I send a ping the response is not always Request Timed Out or Destination NET unreachable.
 
Not sure without more info...could be that because of some static or something, it could be trying to go out to your secondary IP on vlan1...why the secondary IP anyway, and not another subint? Just curious...

Is it consistent, like every other message is either dest net unreachable and timed out?



ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
 
I mean to see if ICMP is behaving correctly and you don't have some weird little routing problem, you could open those up for successful pings all the way through and see if you get 50% or 100% then. That experiment will tell you definitively

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
 
I've tried that. With no ACL's the pings are 100% successful.
 
If I create a another subint instead of secondary IP then I will have to create the vlan in the switch.
I don't think that is the problem (if any) though.
 
I would!

ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
 
Hi,

Could you post the config on the switch?
Pay attention to the switch trunk interface configuration.

-Viconsul
 

Current configuration : 8590 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
enable secret 5
enable password 7
!
username admin password 7
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
system mtu routing 1500
!
!
no ip domain-lookup
ip domain-name
!
no setup express
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/3
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/5
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/6
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/7
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/8
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/9
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/10
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/11
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/12
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/13
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb03.7eb2 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/14
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb00.65c7 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/15
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb06.4ecf vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/16
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/17
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb06.505d vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/18
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb06.7281 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/19
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb00.c4ea vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/20
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0800.5300.b201 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/21
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0800.5320.467f vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/22
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0800.5300.012e vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/23
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0800.5300.012f vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/24
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky d4be.d99f.53a0 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/1
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb06.4fc6 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
description ***** Connection to Router *****
switchport trunk allowed vlan 1,2
switchport mode trunk
spanning-tree portfast trunk
!
interface Vlan1
ip address 10.0.6.235 255.255.255.0
!
interface Vlan2
no ip address
!
ip default-gateway 10.0.6.1
ip http server
ip http secure-server
access-list 11 permit 10.0.0.0 0.0.0.255
access-list 11 permit 10.0.6.0 0.0.0.255
no cdp run
no cdp tlv location
no cdp tlv app

!
line con 0
logging synchronous
line vty 0 4
session-timeout 30
access-class 11 in
logging synchronous
transport input telnet ssh
line vty 5 15
session-timeout 30
access-class 11 in
logging synchronous
transport input telnet ssh
!
end

 
Hi,

Okay, you have port security enabled on some interfaces, lets eliminate that first.
Could you move the endpoint devices to ports that have no port security on them and see what happens.
Also, could you post a running config of the router, let have look at the routing table.

-Viconsul
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top