05-15-2008 11:18 PM - edited 03-05-2019 11:01 PM
Hi everyone,
I have the problem of the access-list on Catalyst 3750 12.2(35)SE5.
The problem is that implicit denied packets do not dropped but permitted.
Configured access-list statements are as follows,
----------
interface Vlan135
ip address 172.29.175.1 255.255.255.0
ip access-group TESTACL in
ip access-list extended TESTACL
permit ip any 172.29.172.0 0.0.0.255
permit ip any 172.29.174.0 0.0.0.255
permit ip any 172.29.175.0 0.0.0.255
permit ip any 192.84.172.0 0.0.0.255
permit ip any 172.29.173.0 0.0.0.255
permit ip any 172.57.146.0 0.0.0.255
permit ip any 172.2.200.0 0.0.0.255
permit ip any 172.2.202.0 0.0.0.255
permit ip any 172.2.203.0 0.0.0.255
permit ip any 172.75.132.0 0.0.0.255
permit ip any 172.35.75.0 0.0.0.255
permit ip any 172.88.132.0 0.0.3.255
----------
In this configuration, PCs are connecting Vlan 135 send ping to server on another Vlan.
The result of ping are as follows,
Case 1: ping from PC on Vlan 135 to another Vlan
From 172.29.175.84 to 172.64.51.100
ping is denied and result in ping is unreachable.
it is normal behavior, in other words, access-list works correctly.
Case 2: ping from PC on Vlan 135 to another Vlan
From 172.29.175.116 to 172.64.51.100
ping is permitted and result in ping is OK.
it is abnormal behavior, in other words, access-list works incorrectly.
I understand IOS applied "implicit deny all" at the end of ACL, so I do not need to configure it explicitly as "deny ip any any".
Do you have any idea to resolve this symptom ?
This symptom might be caused by the problem of TCAM ? If so, could you please let me know useful command for further investigation ?
Your information would be appreciated.
Shin
05-15-2008 11:30 PM
Uhmm ...
In my undestanding, case 1 is abnormal, and case 2 is normal, is it?
So, do you have just one link, and one path from 172.29.175.0 to 172.64.51.0? Have you tryed a traceroute? the ping is denied always on the same workstation? have you tryed an extended acl instead of standard?
Let me know
Regards
Andrea
05-15-2008 11:41 PM
Shin
I agree with Andrea, case 1 is what you would expect and case 2 is abnormal.
Case 1 proves that you have an implicit deny at the end of your access-list and that it is working. Remember that inbound on a vlan interface means traffic coming from hosts on the vlan destined for hosts on other vlans.
So it is the "any" in your access-list lines that matches the source IP addresses of 172.29.175.x.
Are you definitely using the same destination address ie. 172.64.51.100 for both ping tests ?
Jon
05-15-2008 11:58 PM
Andrea and Jon,
Thank you very much for your reply.
First of all, this symptom has been occurred on customer site not in my lab.
So unfortunately I can not gather information from Catalyst 3750 now.
I answer your question.
About Andrea's question:
Q: In my understanding, case 1 is abnormal, and case 2 is normal, is it?
A: In "ip access-list extended TESTACL", source of permitted traffic are all "any" and destination of permitted traffic are
172.29.172.0/24
172.29.174.0/24
172.29.175.0/24
192.84.172.0/24
172.29.173.0/24
172.57.146.0/24
172.2.200.0/24
172.2.202.0/24
172.2.203.0/24
172.75.132.0/24
172.35.75.0/24
172.88.132.0/24
and, "TESTACL" is configured inbound direction on Vlan 135.
Case 1's and case 2's destination address 172.64.51.100 is not included as permitted destination address.
So I think case 1 is normal and case 2 is abnormal.
Q: do you have just one link, and one path from 172.29.175.0 to 172.64.51.0?
A: Yes.
Q: Have you tryed a traceroute?
A: Traceroute on case 2 (tarceroute from 172.29.175.116 to 172.64.51.100) is denied, I do not know why, but traceroute correctly denied by access-list.
Q: the ping is denied always on the same workstation?
A: Yes.
Q: have you tryed an extended acl instead of standard?
A: Now I use extended acl not standard.
Jon's question:
Q: Are youy definitely using the same destination address ie. 172.64.51.100 for both ping tests ?
A: Yes.
Regards,
05-16-2008 12:14 AM
Shin
Have you checked the actual PC's themselves to make sure that
1) they both have the correct subnet mask/default-gateway
2) they are not running some kind of firewall that would block any return packets.
Jon
05-16-2008 12:19 AM
Jon,
Thank you very much for your reply.
I will check it next week at the customer site. However customer said that the configuration of PC is fine...
Do you have any idea about the commands to gather information from Cat 3750 to resolve this symptom ?
Regards,
Shinichi
05-16-2008 12:24 AM
Shinichi
Well it's not obvious at the moment that the 3750 is the problem. Before delving too deeply i would add the "log" keyword in your access-lists and an explicit "deny ip any any log" at the end of the access-list to make sure that you have a problem with the switch rather than the client PC's.
Jon
05-16-2008 12:29 AM
Jon,
OK, I understand you said.
I will try to add "log" keyword to confirm what packets hit permit and deny.
Thank you very much for your suggestion.
Regards,
Shin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: