implicit denied packets do not dropped but permitted on Cat 3750

snakayama · ‎05-15-2008

Hi everyone,

I have the problem of the access-list on Catalyst 3750 12.2(35)SE5.

The problem is that implicit denied packets do not dropped but permitted.

Configured access-list statements are as follows,

----------

interface Vlan135

ip address 172.29.175.1 255.255.255.0

ip access-group TESTACL in

ip access-list extended TESTACL

permit ip any 172.29.172.0 0.0.0.255

permit ip any 172.29.174.0 0.0.0.255

permit ip any 172.29.175.0 0.0.0.255

permit ip any 192.84.172.0 0.0.0.255

permit ip any 172.29.173.0 0.0.0.255

permit ip any 172.57.146.0 0.0.0.255

permit ip any 172.2.200.0 0.0.0.255

permit ip any 172.2.202.0 0.0.0.255

permit ip any 172.2.203.0 0.0.0.255

permit ip any 172.75.132.0 0.0.0.255

permit ip any 172.35.75.0 0.0.0.255

permit ip any 172.88.132.0 0.0.3.255

----------

In this configuration, PCs are connecting Vlan 135 send ping to server on another Vlan.

The result of ping are as follows,

Case 1: ping from PC on Vlan 135 to another Vlan

From 172.29.175.84 to 172.64.51.100

ping is denied and result in ping is unreachable.

it is normal behavior, in other words, access-list works correctly.

Case 2: ping from PC on Vlan 135 to another Vlan

From 172.29.175.116 to 172.64.51.100

ping is permitted and result in ping is OK.

it is abnormal behavior, in other words, access-list works incorrectly.

I understand IOS applied "implicit deny all" at the end of ACL, so I do not need to configure it explicitly as "deny ip any any".

Do you have any idea to resolve this symptom ?

This symptom might be caused by the problem of TCAM ? If so, could you please let me know useful command for further investigation ?

Your information would be appreciated.

Shin

ariela · ‎05-15-2008

Uhmm ...

In my undestanding, case 1 is abnormal, and case 2 is normal, is it?

So, do you have just one link, and one path from 172.29.175.0 to 172.64.51.0? Have you tryed a traceroute? the ping is denied always on the same workstation? have you tryed an extended acl instead of standard?

Let me know

Regards

Andrea

Jon Marshall · ‎05-15-2008

Shin

I agree with Andrea, case 1 is what you would expect and case 2 is abnormal.

Case 1 proves that you have an implicit deny at the end of your access-list and that it is working. Remember that inbound on a vlan interface means traffic coming from hosts on the vlan destined for hosts on other vlans.

So it is the "any" in your access-list lines that matches the source IP addresses of 172.29.175.x.

Are you definitely using the same destination address ie. 172.64.51.100 for both ping tests ?

Jon

snakayama · ‎05-15-2008

Andrea and Jon,

Thank you very much for your reply.

First of all, this symptom has been occurred on customer site not in my lab.

So unfortunately I can not gather information from Catalyst 3750 now.

I answer your question.

About Andrea's question:

Q: In my understanding, case 1 is abnormal, and case 2 is normal, is it?

A: In "ip access-list extended TESTACL", source of permitted traffic are all "any" and destination of permitted traffic are

172.29.172.0/24

172.29.174.0/24

172.29.175.0/24

192.84.172.0/24

172.29.173.0/24

172.57.146.0/24

172.2.200.0/24

172.2.202.0/24

172.2.203.0/24

172.75.132.0/24

172.35.75.0/24

172.88.132.0/24

and, "TESTACL" is configured inbound direction on Vlan 135.

Case 1's and case 2's destination address 172.64.51.100 is not included as permitted destination address.

So I think case 1 is normal and case 2 is abnormal.

Q: do you have just one link, and one path from 172.29.175.0 to 172.64.51.0?

A: Yes.

Q: Have you tryed a traceroute?

A: Traceroute on case 2 (tarceroute from 172.29.175.116 to 172.64.51.100) is denied, I do not know why, but traceroute correctly denied by access-list.

Q: the ping is denied always on the same workstation?

A: Yes.

Q: have you tryed an extended acl instead of standard?

A: Now I use extended acl not standard.

Jon's question:

Q: Are youy definitely using the same destination address ie. 172.64.51.100 for both ping tests ?

A: Yes.

Regards,

Jon Marshall · ‎05-16-2008

Shin

Have you checked the actual PC's themselves to make sure that

1) they both have the correct subnet mask/default-gateway

2) they are not running some kind of firewall that would block any return packets.

Jon

snakayama · ‎05-16-2008

Jon,

Thank you very much for your reply.

I will check it next week at the customer site. However customer said that the configuration of PC is fine...

Do you have any idea about the commands to gather information from Cat 3750 to resolve this symptom ?

Regards,

Shinichi

Jon Marshall · ‎05-16-2008

Shinichi

Well it's not obvious at the moment that the 3750 is the problem. Before delving too deeply i would add the "log" keyword in your access-lists and an explicit "deny ip any any log" at the end of the access-list to make sure that you have a problem with the switch rather than the client PC's.

Jon

snakayama · ‎05-16-2008

Jon,

OK, I understand you said.

I will try to add "log" keyword to confirm what packets hit permit and deny.

Thank you very much for your suggestion.

Regards,

Shin