Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
4
Replies

Problems getting ACLs to work on Cisco 6500 switch

Go to solution
garcia
Level 1
Level 1

‎06-13-2007 11:38 AM - edited ‎03-05-2019 04:42 PM

I?m having what seems to be a pretty fundamental problem with ACLs on my switches. I was hoping someone could point me in the right direction. I?m running 6500s with HSRP and SVIs.

Basically, I can?t get my ACLs to block the traffic I?m trying to block. I?m trying to limit telnet traffic to a couple of hosts and it?s not working the way I expected. I apply the ACL using the interface config command, ip access-group 123 in.

I feel like I?m overlooking something obvious here. I tried troubleshooting using, debug ip packet 123 detail. I even setup a similar environment on a test 3550 switch I have in my office and encountered the same result.

Could the problem have something to do with CEF and hardware switching? I thought the security ACLs were compiled into the TCAM. Does the switch need to punt to process switching in order to evaluate the ACLs?

Ip access-list extended 123

permit tcp host 172.16.15.63 172.16.1.130 0.0.0.31 eq telnet

permit tcp host 172.16.15.37 172.16.1.130 0.0.0.31 eq telnet

permit tcp host 172.16.15.68 172.16.1.130 0.0.0.31 eq telnet

permit tcp host 172.16.15.35 172.16.1.130 0.0.0.31 eq telnet

permit tcp host 172.16.15.4 172.16.1.130 0.0.0.31 eq telnet

deny tcp any 172.16.1.130 0.0.0.31 eq telnet

permit ip any any

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
glen.grant
VIP Alumni
VIP Alumni
In response to garcia

‎06-13-2007 01:47 PM

This would have to be applied to the 172.16.15.X SVI for this to work . Just think of in as going from a user on the 172.16.15 out to the other subnet . Out would be going out from the other subnet to a user on the 172.16.15.x network in which case your syntax would have to change.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
glen.grant
VIP Alumni
VIP Alumni

‎06-13-2007 01:31 PM

How do you have it applied on the interfaces?

0 Helpful

Go to solution
garcia
Level 1
Level 1
In response to glen.grant

‎06-13-2007 01:35 PM

applied as:

ip access-group 123 in

Is the logic counter-intuitive? It seems like it may work if I change it to ip access-group 123 out. To me, it seems like we're evaluating traffic going IN to VLAN1. Am I missing something here?

0 Helpful

Go to solution
glen.grant
VIP Alumni
VIP Alumni
In response to garcia

‎06-13-2007 01:47 PM

This would have to be applied to the 172.16.15.X SVI for this to work . Just think of in as going from a user on the 172.16.15 out to the other subnet . Out would be going out from the other subnet to a user on the 172.16.15.x network in which case your syntax would have to change.

0 Helpful

Go to solution
garcia
Level 1
Level 1
In response to glen.grant

‎06-13-2007 01:58 PM

Makes sense to me now. You have solved my problem. Thank you so much.

So, basically I need to look at it from the perspective of the switch rather than the traffic-flow perspective.

So, how do I award you points?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card