ARP and ACLs

  • 0
  • 1
  • Question
  • Updated 5 years ago
  • Answered
Create Date: Aug 7 2013 12:45PM

Hi

trying to put an acl on the core switch for a vlan this seems to be blocking traffic between machines on the same vlan. as they are sending out arp requests which aren't answered. do i need an entry to allow arp ? please help



entry c_pc_to_rdp {
if {
source-address 172.16.100.0/22;
    destination-address 10.10.115.0/24;
protocol tcp;
destination-port 3389;
} then {
    permit;
}


entry default_allow_out {
if {
    source-address 10.10.115.0/24;
} then {
    permit;
}
}

entry default_deny {
if {
} then {
    deny;
}
}

(from Conrad_Jones)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Aug 16 2013 12:10PM

Hello conradjones

i am not exactly sure what you want to achieve but the reason the arp packets are being dropped is because you have the deny all in the ACL.  If you need a packet to get through then you need to put a permit into the file.  If a packet hits an entry in the policy file then it will exit the acl and it hit the final deny.

hope that makes sense.

p

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Aug 18 2013 10:24AM

thanks prusso

previous testing showed arp worked without needing that in the ACL, but i have a good idea why now. probably the core switch had the acl on and arp was fine between two devices on an edge switch but the acl was still blocking inter-vlan traffic as that was passing through the core to be routed. OR it was inter-vm traffic which wasn't hitting the physical switch as the VMs were on the same host. 

conrad

(from Conrad_Jones)

This conversation is no longer open for comments or replies.