06-13-2007 11:38 AM - edited 03-05-2019 04:42 PM
I?m having what seems to be a pretty fundamental problem with ACLs on my switches. I was hoping someone could point me in the right direction. I?m running 6500s with HSRP and SVIs.
Basically, I can?t get my ACLs to block the traffic I?m trying to block. I?m trying to limit telnet traffic to a couple of hosts and it?s not working the way I expected. I apply the ACL using the interface config command, ip access-group 123 in.
I feel like I?m overlooking something obvious here. I tried troubleshooting using, debug ip packet 123 detail. I even setup a similar environment on a test 3550 switch I have in my office and encountered the same result.
Could the problem have something to do with CEF and hardware switching? I thought the security ACLs were compiled into the TCAM. Does the switch need to punt to process switching in order to evaluate the ACLs?
Ip access-list extended 123
permit tcp host 172.16.15.63 172.16.1.130 0.0.0.31 eq telnet
permit tcp host 172.16.15.37 172.16.1.130 0.0.0.31 eq telnet
permit tcp host 172.16.15.68 172.16.1.130 0.0.0.31 eq telnet
permit tcp host 172.16.15.35 172.16.1.130 0.0.0.31 eq telnet
permit tcp host 172.16.15.4 172.16.1.130 0.0.0.31 eq telnet
deny tcp any 172.16.1.130 0.0.0.31 eq telnet
permit ip any any
Solved! Go to Solution.
06-13-2007 01:47 PM
This would have to be applied to the 172.16.15.X SVI for this to work . Just think of in as going from a user on the 172.16.15 out to the other subnet . Out would be going out from the other subnet to a user on the 172.16.15.x network in which case your syntax would have to change.
06-13-2007 01:31 PM
How do you have it applied on the interfaces?
06-13-2007 01:35 PM
applied as:
ip access-group 123 in
Is the logic counter-intuitive? It seems like it may work if I change it to ip access-group 123 out. To me, it seems like we're evaluating traffic going IN to VLAN1. Am I missing something here?
06-13-2007 01:47 PM
This would have to be applied to the 172.16.15.X SVI for this to work . Just think of in as going from a user on the 172.16.15 out to the other subnet . Out would be going out from the other subnet to a user on the 172.16.15.x network in which case your syntax would have to change.
06-13-2007 01:58 PM
Makes sense to me now. You have solved my problem. Thank you so much.
So, basically I need to look at it from the perspective of the switch rather than the traffic-flow perspective.
So, how do I award you points?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide