Cisco 6506, ACLs and ftp

Answered Question
Mar 16th, 2007

Hi! This forum is my last hope to get replies for my questions.

I have a Catalyst 6506-E:

1 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX

2 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX

3 3 Network Analysis Module WS-SVC-NAM-1

5 9 Supervisor Engine 32 8GE (Active) WS-SUP32-GE-3B

6 9 Supervisor Engine 32 8GE (Hot) WS-SUP32-GE-3B

I have some network 192.168.1.0/24 (VLAN 192) and one other network 10.1.1.0/24

(VLAN 10)

192.168.1.20 - ftp-client

10.1.1.100 - ftp-server

Problem:

Cat 65 contains an intervaces vlan 192,10:

interface Vlan192

ip address 192.168.1.1 255.255.255.0

ip access-group 192 in

interface Vlan10

ip address 10.1.1.0 255.255.255.0

Extended IP access list 192

10 permit tcp 192.168.1.0 0.0.0.127 host 10.1.1.100 eq ftp

20 permit tcp 192.168.1.0 0.0.0.127 host 10.1.1.100 eq ftp-data

30 permit icmp any any echo

40 permit icmp any any echo-reply

50 permit icmp any any traceroute

60 deny ip any any

1st problem:

While ftp-client tries to connect at ftp-server, ftp-server requests username and password, and when Client chose a file to download it Server shows an error.

If in ACL 192 to enter following:

5 permit ip 192.168.1.0 0.0.0.127 host 10.1.1.100

client can download files only in passive mode.

If I remove ACL from interface VLAN 192 client also can download files only in passive mode.

What's wrong ?

2nd problem:

Cat 6506-E ACLs counters don't increase correctly. In other words if I connect to ftp-server or I simply do ping then ALC's counters don't increase, but ACL executes. And you can't know ACL have worked correctly or not. But if ACL drops something it will increase counter corretly.

What's up ???

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 10 months ago

Hi

It's not to do with the supervisor 32 or the supervisor 720. It's about how the 6500 process acl's. You will see counters increase but not for every packet.

Attached is a link to the relevant bit of the 6500 documentation. It explains how the 6500 process acl's and where they get processed ie. hardware or software.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00801609f6.html#wp1033602

Just to highlight the last point in the doc above

"When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware"

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
hoogen_82 Fri, 03/16/2007 - 02:53

Hmm.. your access-list says 192.168.1.0 0.0.0.127 but your vlan suggests 192.168.1.0/24 could you explain this?

And are your clients able to download once the ACL's are removed?

-Hoogen

kurenyshev Sun, 03/18/2007 - 20:15

Hmm.. your access-list says 192.168.1.0 0.0.0.127 but your vlan suggests 192.168.1.0/24 could you explain this?

It's for example.

And are your clients able to download once the ACL's are removed?

Yeah, they can download when acl is removed or it permits IP instead ftp ports

kurenyshev Sun, 03/18/2007 - 20:17

if ACL contains:

permit ip 192.168.1.0 0.0.0.127 host 10.1.1.100

or ACL is removed then client may download files only in passive mode. In other cases it isn't work correctly.

Jon Marshall Wed, 03/21/2007 - 01:30

Hi

1) FTP not working with access-list. With passive ftp the server sends the client a random port number down the control channel. the client then initiates a connection to this port, But your access-list is not allowing this second connection on the random port.

If you were using a Pix it would be able to account for this with it's fixup commands but your access-list is not stateful.

So if you want to use passive then you need to the following

i) Deny all traffic to the ftp server from the 192.168.x.x subnet based on tcp and udp ports.

ii) Then allow IP between 192.168.x.x subnet and your ftp server to account for the ftp traffic as you don't know what random port will be used.

2) You won't see successful matches increment the acl counters on a 6500 as the 6500 does access-list matches in hardware. Not seeing the hits increase is normal for the 6500.

HTH

Jon

kurenyshev Wed, 03/21/2007 - 20:24

Thanks a lot!

I won't be seeing hits increase only for 6506-E with SUP 32 or at all cisco 6500 series?

My colleage has got a 6509 with SUP 720 and ACLs increase hits correctly.

Correct Answer
Jon Marshall Thu, 03/22/2007 - 00:51

Hi

It's not to do with the supervisor 32 or the supervisor 720. It's about how the 6500 process acl's. You will see counters increase but not for every packet.

Attached is a link to the relevant bit of the 6500 documentation. It explains how the 6500 process acl's and where they get processed ie. hardware or software.

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00801609f6.html#wp1033602

Just to highlight the last point in the doc above

"When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware"

HTH

Jon

Actions

This Discussion