Configuration Example, Routing
HSRP and ACL’s
I added a Guest VLAN to a network environment with two multi layer switches running HSRP. To secure the internal network from the Guest VLAN, I added a ACL to the Guest VLAN SVI. The ACL is stated below:
ip access-list extended GUEST-DENY-RFC1918
remark Allow DHCP
permit udp any eq bootpc any
remark Deny RFC 1918
deny ip 10.1.2.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.1.2.0 0.0.1.255 172.16.0.0 0.0.15.255
deny ip 10.1.2.0 0.0.1.255 192.168.0.0 0.0.255.255
remark Allow HTTP / HTTPS
permit tcp 10.1.2.0 0.0.1.255 any eq httppermit tcp 10.1.2.0 0.0.1.255 any eq https
The ACL allows querying the DHCP server to obtain the necessary IP address. Next the ACL denies access to all RFC 1918 IP addresses, which are used on the internal LAN segment of the customer. The last two statements allow HTTP and HTTPS access to the Internet.
At first, I just applied the ACL to both the multi layer switches and thought I was ready. After configuring some other tasks and finishing my work, I always check the configuration. Looking at the show standby brief output, I noticed that the primary HSRP switch didn’t have any standby switch anymore, as show in the output below:
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 200 P Active local 10.1.0.3 10.1.0.1
Vl2 2 200 P Active local unknown 10.1.2.1
Because the only change was applying the ACL to the SVI, I already know where to search to correct the problem. Adding a deny ip any any log statement at the bottom of the ACL gave me the information I needed to know.
05:48:09.366: %SEC-6-IPACCESSLOGP: list GUEST-DENY-RFC1918 denied udp 10.1.2.2(1985) -> 224.0.0.2(1985), 360 packetsde
The ACL is blocking the multicast HSRP packets. Looking at the log output, you can see that the HSRP multicast IP address is 224.0.0.2 and port UDP/1985 is used. The multi layer switch is using his SVI IP address as source in the HSRP packet.
I changed the ACL on both multi layer switches by adding a statement to allow the HSRP packets. The new ACL is stated below:
ip access-list extended GUEST-DENY-RFC1918
remark Allow DHCP
permit udp any eq bootpc anyremark Allow HSRP PACKETS
permit udp host 10.1.2.[2|3] eq 1985 host 224.0.0.2 eq 1985
remark Deny RFC 1918
deny ip 10.1.2.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.1.2.0 0.0.1.255 172.16.0.0 0.0.15.255
deny ip 10.1.2.0 0.0.1.255 192.168.0.0 0.0.255.255
remark Allow HTTP / HTTPS
permit tcp 10.1.2.0 0.0.1.255 any eq httppermit tcp 10.1.2.0 0.0.1.255 any eq https
The HSRP packets weren’t blocked anymore after applying the new ACL to the SVI’s. The primary multi layer switch got his secondary switch back.
Applying an ACL to a SVI happens more often, so it is important to remember if you are running some sort of special protocol on the SVI or somewhere else in the configuration when applying an ACL.
Looking at the Internet I found a nice article on Aaron’s Worthless Words blog about multicast addresses, port numbers and associated protocols.
René Jorissen
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021