cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
723
Views
0
Helpful
7
Replies

access-list problem 3560G SVI

zaikini_23
Level 1
Level 1

Hi all!

I have a problem on 3560G. I have 200 SVI in my switch, i have aplly access-list to SVI interface vlan 304. My SVI has 7 subnetworks. I want block traffic from two subnetworks. I create access-list:

deny ip x.x.x.x 0.0.0.7 any

deny ip y.y.y.y 0.0.0.7 any

permit ip any any

!

interface Vlan304

ip address q.q.q.q 255.255.255.248 secondary

ip address x.x.x.x 255.255.255.248 secondary

ip address w.w.w.w 255.255.255.248 secondary

ip address v.v.v.v 255.255.255.248 secondary

ip address y.y.y.y 255.255.255.248 secondary

ip address t.t.t.t 255.255.255.248 secondary

ip address s.s.s.s 255.255.255.248

ip access-group vlan304-in in

sh ip access-lists vlan304-in

Extended IP access list vlan304-in

10 deny ip x.x.x.x 0.0.0.7 any (873 matches)

20 deny ip y.y.y.y 0.0.0.7 any (18539 matches)

30 permit ip any any (7343 matches)

It's ok, but traffic from this networks is present, I don't understand...

can help me?

7 Replies 7

glen.grant
VIP Alumni
VIP Alumni

Not sure what you are asking here , it looks like it is working ok , you are getting hits on the deny statements for the 2 networks and you are permitting everything else . How do you know traffic from those 2 networks is not being blocked ???

I have information from netflow from core router.

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

I guess the way you have setup your access-list is not correct. Since you are trying to block access to two subnetworks, I would suggest you to go for the following format:

access-list 101 deny ip

Now if you apply this to the incoming interface of the SVI, it will check the condition that the destination is a specific subnet and block it at source.

Sometimes ACL is drop packets. Traffic is present, but after 15:00 pm traffic is absent. I think it's may be high load resources of switch. I don't now how debug this problem

That's pretty well what he did, isn't it? Except he wants to deny those subnets access to anything at all.

There are several ways the traffic could be getting round the access lists. Are there any other switches or routers on the (layer-2) VLAN? Could they be using those as a gateway instead?

Or maybe even there is one of those hosts that is connected to a port that isn't on that VLAN at all. He would still be able to source from those addresses, even if the routers wouldn't know where to send his replies. That sort of thing can be traced by tracking down the MAC address.

By the way, don't place too much confidence in the packet counts on the deny lines. I can recount my experience with a 4500 switch that the access list also counts packets that were not addressed through the gateway, but which were supposed to be switched purely at layer-2 within the VLAN. Something to do with the ASIC design.

Kevin Dorrell

Luxembourg

>Are there any other switches or routers on >the (layer-2) VLAN? Could they be using >those as a gateway instead?

No

>Or maybe even there is one of those hosts >that is connected to a port that isn't on >that VLAN at all.

No

I have changed my access-list:

4 deny udp x.x.x.x 0.0.0.7 any eq 5150 log (63 matches)

10 deny ip y.y.y.y 0.0.0.7 any log

20 deny ip x.x.x.x 0.0.0.7 any log

30 permit ip any any (193 matches)

Because, if I using this is ACL:

10 deny ip y.y.y.y 0.0.0.7 any log

20 deny ip x.x.x.x 0.0.0.7 any log

30 permit ip any any

I don't block udp packets from x.x.x.x 0.0.0.7 to any remote port 5150

I don't understand why this ACL:

10 deny ip y.y.y.y 0.0.0.7 any log

20 deny ip x.x.x.x 0.0.0.7 any log

30 permit ip any any

don't block this traffic (udp remote port 5150). UDP remote port 5150 is ATMP (Ascend Tunnel Management Protocol).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: