03-16-2007 02:10 AM
Hi! This forum is my last hope to get replies for my questions.
I have a Catalyst 6506-E:
1 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX
2 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX
3 3 Network Analysis Module WS-SVC-NAM-1
5 9 Supervisor Engine 32 8GE (Active) WS-SUP32-GE-3B
6 9 Supervisor Engine 32 8GE (Hot) WS-SUP32-GE-3B
I have some network 192.168.1.0/24 (VLAN 192) and one other network 10.1.1.0/24
(VLAN 10)
192.168.1.20 - ftp-client
10.1.1.100 - ftp-server
Problem:
Cat 65 contains an intervaces vlan 192,10:
interface Vlan192
ip address 192.168.1.1 255.255.255.0
ip access-group 192 in
interface Vlan10
ip address 10.1.1.0 255.255.255.0
Extended IP access list 192
10 permit tcp 192.168.1.0 0.0.0.127 host 10.1.1.100 eq ftp
20 permit tcp 192.168.1.0 0.0.0.127 host 10.1.1.100 eq ftp-data
30 permit icmp any any echo
40 permit icmp any any echo-reply
50 permit icmp any any traceroute
60 deny ip any any
1st problem:
While ftp-client tries to connect at ftp-server, ftp-server requests username and password, and when Client chose a file to download it Server shows an error.
If in ACL 192 to enter following:
5 permit ip 192.168.1.0 0.0.0.127 host 10.1.1.100
client can download files only in passive mode.
If I remove ACL from interface VLAN 192 client also can download files only in passive mode.
What's wrong ?
2nd problem:
Cat 6506-E ACLs counters don't increase correctly. In other words if I connect to ftp-server or I simply do ping then ALC's counters don't increase, but ACL executes. And you can't know ACL have worked correctly or not. But if ACL drops something it will increase counter corretly.
What's up ???
Solved! Go to Solution.
03-22-2007 12:51 AM
Hi
It's not to do with the supervisor 32 or the supervisor 720. It's about how the 6500 process acl's. You will see counters increase but not for every packet.
Attached is a link to the relevant bit of the 6500 documentation. It explains how the 6500 process acl's and where they get processed ie. hardware or software.
Just to highlight the last point in the doc above
"When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware"
HTH
Jon
03-16-2007 02:53 AM
Hmm.. your access-list says 192.168.1.0 0.0.0.127 but your vlan suggests 192.168.1.0/24 could you explain this?
And are your clients able to download once the ACL's are removed?
-Hoogen
03-18-2007 08:15 PM
Hmm.. your access-list says 192.168.1.0 0.0.0.127 but your vlan suggests 192.168.1.0/24 could you explain this?
It's for example.
And are your clients able to download once the ACL's are removed?
Yeah, they can download when acl is removed or it permits IP instead ftp ports
03-18-2007 08:17 PM
if ACL contains:
permit ip 192.168.1.0 0.0.0.127 host 10.1.1.100
or ACL is removed then client may download files only in passive mode. In other cases it isn't work correctly.
03-20-2007 09:04 PM
I'm sorry, but really Does nobody know what is wrong?
03-21-2007 01:30 AM
Hi
1) FTP not working with access-list. With passive ftp the server sends the client a random port number down the control channel. the client then initiates a connection to this port, But your access-list is not allowing this second connection on the random port.
If you were using a Pix it would be able to account for this with it's fixup commands but your access-list is not stateful.
So if you want to use passive then you need to the following
i) Deny all traffic to the ftp server from the 192.168.x.x subnet based on tcp and udp ports.
ii) Then allow IP between 192.168.x.x subnet and your ftp server to account for the ftp traffic as you don't know what random port will be used.
2) You won't see successful matches increment the acl counters on a 6500 as the 6500 does access-list matches in hardware. Not seeing the hits increase is normal for the 6500.
HTH
Jon
03-21-2007 08:24 PM
Thanks a lot!
I won't be seeing hits increase only for 6506-E with SUP 32 or at all cisco 6500 series?
My colleage has got a 6509 with SUP 720 and ACLs increase hits correctly.
03-22-2007 12:51 AM
Hi
It's not to do with the supervisor 32 or the supervisor 720. It's about how the 6500 process acl's. You will see counters increase but not for every packet.
Attached is a link to the relevant bit of the 6500 documentation. It explains how the 6500 process acl's and where they get processed ie. hardware or software.
Just to highlight the last point in the doc above
"When you enter the show ip access-list command, the match count displayed does not include packets processed in hardware"
HTH
Jon
03-22-2007 07:05 PM
Thanks to you for so detailed answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide