10-22-2007 10:17 PM - edited 03-05-2019 07:15 PM
Hi all!
I have a problem on 3560G. I have 200 SVI in my switch, i have aplly access-list to SVI interface vlan 304. My SVI has 7 subnetworks. I want block traffic from two subnetworks. I create access-list:
deny ip x.x.x.x 0.0.0.7 any
deny ip y.y.y.y 0.0.0.7 any
permit ip any any
!
interface Vlan304
ip address q.q.q.q 255.255.255.248 secondary
ip address x.x.x.x 255.255.255.248 secondary
ip address w.w.w.w 255.255.255.248 secondary
ip address v.v.v.v 255.255.255.248 secondary
ip address y.y.y.y 255.255.255.248 secondary
ip address t.t.t.t 255.255.255.248 secondary
ip address s.s.s.s 255.255.255.248
ip access-group vlan304-in in
sh ip access-lists vlan304-in
Extended IP access list vlan304-in
10 deny ip x.x.x.x 0.0.0.7 any (873 matches)
20 deny ip y.y.y.y 0.0.0.7 any (18539 matches)
30 permit ip any any (7343 matches)
It's ok, but traffic from this networks is present, I don't understand...
can help me?
10-23-2007 03:51 AM
Not sure what you are asking here , it looks like it is working ok , you are getting hits on the deny statements for the 2 networks and you are permitting everything else . How do you know traffic from those 2 networks is not being blocked ???
10-23-2007 03:58 AM
I have information from netflow from core router.
10-23-2007 04:09 AM
Hello,
I guess the way you have setup your access-list is not correct. Since you are trying to block access to two subnetworks, I would suggest you to go for the following format:
access-list 101 deny ip
Now if you apply this to the incoming interface of the SVI, it will check the condition that the destination is a specific subnet and block it at source.
10-23-2007 04:45 AM
Sometimes ACL is drop packets. Traffic is present, but after 15:00 pm traffic is absent. I think it's may be high load resources of switch. I don't now how debug this problem
10-23-2007 07:04 AM
That's pretty well what he did, isn't it? Except he wants to deny those subnets access to anything at all.
There are several ways the traffic could be getting round the access lists. Are there any other switches or routers on the (layer-2) VLAN? Could they be using those as a gateway instead?
Or maybe even there is one of those hosts that is connected to a port that isn't on that VLAN at all. He would still be able to source from those addresses, even if the routers wouldn't know where to send his replies. That sort of thing can be traced by tracking down the MAC address.
By the way, don't place too much confidence in the packet counts on the deny lines. I can recount my experience with a 4500 switch that the access list also counts packets that were not addressed through the gateway, but which were supposed to be switched purely at layer-2 within the VLAN. Something to do with the ASIC design.
Kevin Dorrell
Luxembourg
10-24-2007 03:09 AM
>Are there any other switches or routers on >the (layer-2) VLAN? Could they be using >those as a gateway instead?
No
>Or maybe even there is one of those hosts >that is connected to a port that isn't on >that VLAN at all.
No
10-28-2007 11:33 PM
I have changed my access-list:
4 deny udp x.x.x.x 0.0.0.7 any eq 5150 log (63 matches)
10 deny ip y.y.y.y 0.0.0.7 any log
20 deny ip x.x.x.x 0.0.0.7 any log
30 permit ip any any (193 matches)
Because, if I using this is ACL:
10 deny ip y.y.y.y 0.0.0.7 any log
20 deny ip x.x.x.x 0.0.0.7 any log
30 permit ip any any
I don't block udp packets from x.x.x.x 0.0.0.7 to any remote port 5150
I don't understand why this ACL:
10 deny ip y.y.y.y 0.0.0.7 any log
20 deny ip x.x.x.x 0.0.0.7 any log
30 permit ip any any
don't block this traffic (udp remote port 5150). UDP remote port 5150 is ATMP (Ascend Tunnel Management Protocol).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide