Problem with ACL 3560G not block all traffic

Unanswered Question
Nov 9th, 2007
User Badges:

Hi!


I have SVI in my 3560G


!

interface Vlan304

ip address x.x.x.x 255.255.255.248 secondary

ip address y.y.y.y 255.255.255.248 secondary

ip address s.s.s.s 255.255.255.248 secondary

ip address z.z.z.z 255.255.255.248

ip access-group Vlan304-in in


and I block network s.s.s.s/29



sh ip access-lists Vlan304-in

Extended IP access list Vlan304-in

deny ip s.s.s.s 0.0.0.7 any

permit ip any any


I have seen in statistics (netflow) the proceeding traffic from this subnet. I have found out that it is inquiries udp on the destination port 5150.

I have changed access-list Vlan304-in:


sh ip access-lists Vlan304-in

Extended IP access list Vlan304-in

deny tcp s.s.s.s 0.0.0.7 gt 0 any gt 0

deny udp s.s.s.s 0.0.0.7 gt 0 any gt 0

permit ip any any


and traffic is stop from this subnet.


Why in the first case the access-list did not block all traffic?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vkapoor5 Thu, 11/15/2007 - 07:18
User Badges:
  • Bronze, 100 points or more

To my knlowledge the first ACL must work, because the first ACL statement will block all IP traffic for the segment. The problem might be the duplicate statment if you applied the first case and second case at a time. Because the access list will take the exact match.

Actions

This Discussion