Messages

What do you thonk about cisco side? Everything ok?
Bfd on bundle intetfaces and bgp? I red that on bundle vlan interfaces you can only use isis, ospf and static routes.

What version are you running on the Mikrotik? A quick google for "mikrotik bfd neighbor not found" shows that they had a bug in version 6. Not sure when it was fixed (or if it was). Is the Cisco IP x.x.x.237? If so then it seems like it is sending the bfd packet, and the MikroTik is discarding it. Looking at results for mikrotik bfd in google seems that bfd has been a problem for them. I can't find any current results, but results from 2010 - 2015 seems everyone was having issues. Do you have other devices you can test with?

-Otanx

Edit: I did see this at the bottom of a page:

For interoperability with Cisco make sure to disable echo mode (it is enabled on Cisco by default), since it's not supported on MT.

To do that, on Cisco in interface configuration mode type:

no bfd echo

Yes it is cisco xr.
I cannot add no bfd echo, its not available on bundled interfaces, i can only echo disable like i post on the begining.
We are using 6.48.2.
Not sure whats missing

we have set on asr router cisco xr

Code Select Expand


      bgp:
      bfd fast-detect
   
      bfd multiplier 5
   
      bfd minimum-interval 300
   
     
   
    bfd:
   
      interface bundle-eth1.44
   
      echo disable
   
      rx-interval 2000000

and on mikrotik also bfd (you can see picture)


and of course bfd is checked on peer.
When i enable bfd on peer, bgp goes to open sent state and wont go up. In mikrotik logs i  can see error like neihbour not found


Where is problem?

That ACL denies all inbound traffic from 192.168.0.0/17 except from 192.168.2.0/24. Your IT VLAN is 192.168.50.0/24, so it is blocked.

If you add a permit ip any 192.168.50.0 0.0.0.255, (above the deny) the IT VLAN traffic should be allowed.


<admin edit>

you are right, but that vlan will see IT VLAN if I add permit 192.168.50.
but idea is that only IT has access to all other vlans, not vice versa

yeah but making those 2 25s are last option, is there no other way? 

Put the restrictions on the restricted VLAN, in and out.

if i undestand good, interface vlan must be configured like:
ip access-group FILTER_VLAN_25 in
ip access-group FILTER_VLAN_25 out

Code Select Expand

Extended IP access list FILTER_VLAN_25
    10 permit ip any 192.168.2.0 0.0.0.255
    20 deny ip any 192.168.0.0 0.0.128.255 (648975 matches)
    30 permit ip any any (43833968 matches)
    40 permit icmp any any


Idea is that only vlan 50 (192.168.50.0/24) see all those other VLANS, but not vice versa

Update:
When i put this ACL on VLAN25 in and out, i cant access to it from VLAN50.

You think on vlan50?Or you think of access grouo out, cause i have only inbound
When i put on vlan 50, i cant access them, but idea is that only vlan50 see all others

Just one more q. Whats about communication betweens 2 VLANs

Code Select Expand

Extended IP access list FILTER_VLAN_25
    10 permit ip any 192.168.2.0 0.0.0.255
    20 deny ip any 192.168.0.0 0.0.128.255 (648975 matches)
    30 permit ip any any (43833968 matches)
    40 permit icmp any any


This VLAN 25 (192.168.25.0/24) can access to VLAN 50. Why?
Its inbound group in VLAN, but why its working access? I want to forbid other VLANs to reach my VLAN50

OK, then it's clear. If you want an ACL to work, it needs to be on a VLAN and the endpoint you want to control needs to be in a separate VLAN from the devices you want to control access to. Call it the "control VLAN" or whatever you want, but it needs to be separate from the other endpoints. If that was a Catalyst switch on the access layer, you'd have ACLs on the port. With the SG series, you secure it with a different VLAN.

so if i have subnet 192.168.50.0/24 for my devices, i must make 2 vlans with a smaller subnet

vlan50_Other:192.168.50.0/25
vlan50_ITOnly:192.168.50.128/25

you thought like this?

That may be so, but we don't generally put ACLs on trunk ports.

What is the L2 switch and what is it licensed for?

its sg220 cisco and its used for the wall jacks across offices.
We have several ones through the building.

so firewall is creating dhcp, cisco 3750 is holding vlans and ips on it which helper ip is firewall, and from there goes to access switches (sg220).

device is connected to L2 switch, i cant apply acl there, and this VLAN is trunked through L3

I tried to add IN

Code Select Expand


interface GigabitEthernet1/0/8
description RackIT
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,5,22,40-44,50,90,100
switchport mode trunk
switchport nonegotiate
ip access-group FILTER_VLAN_50 in
end


I cant add for OUT

CORE_SW_1(config-if)#ip access-group FILTER_VLAN_50 out
                                                    ^
% Invalid input detected at '^' marker.

but still i cant access all PCs into my subnet...

So you think like this

Code Select Expand

interface GigabitEthernet1/0/8
description Rack_IT
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,5,22,40-44,50,90,100
switchport mode trunk
switchport nonegotiate
[b] ip access-group FILTER_VLAN_50 in - PUT HERE
ip access-group FILTER_VLAN_50 OUT - PUT HERE[/b]
end


CORE_SW_1#show run int
CORE_SW_1#show run int vlan 50
Building configuration...

Current configuration : 218 bytes
!
interface Vlan50
description IT
ip address 192.168.50.2 255.255.255.0
[b] ip access-group FILTER_VLAN_50 in - DELETE FROM HERE
ip access-group FILTER_VLAN_50 OUT - DELETE FROM HERE[/b]
ip helper-address 172.16.251.49
standby 50 ip 192.168.50.1
standby 50 timers 2 6
standby 50 preempt
end

but only for restricting traffic into subnet, cause when I want to block traffic to other subnet, this acl on VLAN works

whole setup is:

VLAN are created on FIREWALL which is connected to L3 CORE and that L3 is directlly connected to L2 Switches Which just holds VLAN to that floor. And from that L2 is going one/two cables to each offices and those offices are on the "stupid" switches.

Are those hosts in the 192.168.50.0/24 network all on the same switch as the one you're trying to control? If so, then you may need to have it in a separate VLAN.

yes they are, its a part of It department (where a lot ipsec tunnels is created etc), its difficult now to make subnet for them, cause all rules are made for that subnet.
There is no other way to do it?