I?m having what seems to be a pretty fundamental problem with ACLs on my switches. I was hoping someone could point me in the right direction. I?m running 6500s with HSRP and SVIs.
Basically, I can?t get my ACLs to block the traffic I?m trying to block. I?m trying to limit telnet traffic to a couple of hosts and it?s not working the way I expected. I apply the ACL using the interface config command, ip access-group 123 in.
I feel like I?m overlooking something obvious here. I tried troubleshooting using, debug ip packet 123 detail. I even setup a similar environment on a test 3550 switch I have in my office and encountered the same result.
Could the problem have something to do with CEF and hardware switching? I thought the security ACLs were compiled into the TCAM. Does the switch need to punt to process switching in order to evaluate the ACLs?
Ip access-list extended 123
permit tcp host 172.16.15.63 172.16.1.130 0.0.0.31 eq telnet
permit tcp host 172.16.15.37 172.16.1.130 0.0.0.31 eq telnet
permit tcp host 172.16.15.68 172.16.1.130 0.0.0.31 eq telnet
permit tcp host 172.16.15.35 172.16.1.130 0.0.0.31 eq telnet
permit tcp host 172.16.15.4 172.16.1.130 0.0.0.31 eq telnet
deny tcp any 172.16.1.130 0.0.0.31 eq telnet
permit ip any any
This would have to be applied to the 172.16.15.X SVI for this to work . Just think of in as going from a user on the 172.16.15 out to the other subnet . Out would be going out from the other subnet to a user on the 172.16.15.x network in which case your syntax would have to change.