VLAN Access-list (access-group Traffic in/out)

Unanswered Question
Mar 9th, 2009
User Badges:
  • Silver, 250 points or more

I am having a problem that does not make sense to me. I have a switch configured with a single (VLAN4) to which I tried to apply an ACL that will impact traffic coming from worstations in VLAN4.

Once i apply the acl below, I can longer telnet from a host that is sourcing from a remote office nor from the workstations in vlan4.


ip access-list extended vlan4_traffic

permit udp any any eq bootps

permit udp any any eq bootpc

permit ip host 10.64.4.19 10.80.0.0.0 0.0.255.255

permit tcp any 10.80.2.0 0.0.0.255 eq 11141

permit tcp any 10.80.2.0 0.0.0.255 eq 11110

permit tcp any 10.80.2.0 0.0.0.255 eq 11001

permit tcp any 10.80.2.0 0.0.0.255 eq 6010

permit tcp any 10.80.2.0 0.0.0.255 eq 11167

permit tcp any 10.80.2.0 0.0.0.255 eq 17777

permit tcp any 10.80.2.0 0.0.0.255 eq 13183

permit tcp any 10.80.2.0 0.0.0.255 eq 1433

permit tcp any 10.80.2.0 0.0.0.255 eq 11025

permit tcp any any eq 3389

permit ip any host 10.80.2.18

permit ip any host 10.80.2.22

permit ip any 10.80.2.0 0.0.0.255

permit ip any 10.80.3.0 0.0.0.255

permit ip any 10.80.4.0 0.0.0.255

permit icmp any any

permit tcp any any established

deny ip any 10.80.0.0 0.0.255.255

deny ip any 10.64.0.0 0.0.255.255

permit ip any any

int vlan 4

ip address 10.64.4.254 255.255.255.0

ip access-group vlan4_traffic in


This acl I thought should affect incoming traffic from 10.64.4.0/24 subnet only.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
adamclarkuk_2 Mon, 03/09/2009 - 17:07
User Badges:
  • Silver, 250 points or more

Hi


Can you just give us an example of traffic flow, ie src IP,dst IP, dst port(guessing 23), also, on your deny's add a log entry, then do sh show log to see if they are blocking the traffic.


deny ip any 10.80.0.0 0.0.255.255 log

deny ip any 10.64.0.0 0.0.255.255 log


Tshi M Mon, 03/09/2009 - 17:21
User Badges:
  • Silver, 250 points or more

Hi Adam,


Yes, I already did a log on the ACL that adds to my confusion. In any case, I am trying to telnet from 10.64.148.108 to 10.64.4.54 to no avail once the acl is applied to vlan4.

Traffic from vlan4 should be allowed for what it is on the acl only.


denied tcp 10.64.148.108(2020) -> 10.64.4.254(23), 1 packet

adamclarkuk_2 Mon, 03/09/2009 - 17:27
User Badges:
  • Silver, 250 points or more

Hi


So, this line is denying the flow :-

deny ip any 10.64.0.0 0.0.255.255


Add this before the deny's

permit tcp any 10.64.4.0 0.0.0.255 eq 23 10.64.0.0 0.0.255.255


Not sure why it's ignoring your line

permit tcp any any established


Tshi M Mon, 03/09/2009 - 17:36
User Badges:
  • Silver, 250 points or more

Hi Adam,


I thought of that but the problem is that we have remote locations all starting with that 10.64.

The ACL shouldn't have any affect with outside incoming traffic as it "SHOULD" only apply to incoming VLAN4 traffic.


Tshi M Mon, 03/09/2009 - 17:47
User Badges:
  • Silver, 250 points or more

Here it is my friend.


Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 52 WS-C3560G-48TS 12.2(46)SE C3560-IPBASEK9-M

adamclarkuk_2 Mon, 03/09/2009 - 17:52
User Badges:
  • Silver, 250 points or more

Odd, can you apply a permit ip any any log and apply it inbound, then view the logs, it's almost as if it's doing the in/out the wrong way around :-s

Tshi M Mon, 03/09/2009 - 17:57
User Badges:
  • Silver, 250 points or more

You read my mind for it is what i just did. I also changed a line to use log on it to see. The outcome is more confusing. The permit ip any any log, does show some traffic but the line

permit tcp any host 10.200.32.170 eq 11025 log, does not show anything. I applied that acl as "out" rather "in"

adamclarkuk_2 Mon, 03/09/2009 - 18:03
User Badges:
  • Silver, 250 points or more

Try this one :-


permit ip host 10.64.4.54 host 10.64.148.108 log

permit ip any any


Then apply the ACL inbound, telnet from 10.64.4.54 to 10.64.148.108 and see if you get a hit, then flip it.

Tshi M Mon, 03/09/2009 - 18:27
User Badges:
  • Silver, 250 points or more

only when i used permit ip host 10.64.148.108 host 10.64.4.54 and assign "in" than it works. So, it seems as though the acl should be applied using "out" on this vlan. It doesn't make sense to me.

adamclarkuk_2 Mon, 03/09/2009 - 18:32
User Badges:
  • Silver, 250 points or more

Nor, me why would the 3560 be different to all the other Cat's when it comes to VLAN ACL's. I wonder if it's a code issue, I have some 3560's I can test with at the office, I will have a go tomoz.

Tshi M Tue, 03/10/2009 - 13:00
User Badges:
  • Silver, 250 points or more

When applying the ACL using the "out" option, it does not seem to have any effects because I don't see any hit counts and some traffic that should be denied seems to pass through.

Richard Burts Tue, 03/10/2009 - 15:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Etienne


When you change the way that you apply the access list from in to out, you have a very significant change about what is the source address and what is the destination address. Did you re-write the access list when you changed its direction?


Perhaps it would help us if we could see a more complete config. Could you post the config (especially including not only the interface and access list, but also any routing information and the config of the vty lines)?


HTH


Rick

Richard Burts Tue, 03/10/2009 - 15:33
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Etienne


In re-reading this thread another question occurs to me. Where is the traffic from 10.64.148.108 coming from? How does that traffic get to your switch? Which interface does it arrive on? If we could see the complete config then perhaps we could figure this out.


HTH


Rick

Tshi M Tue, 03/10/2009 - 17:19
User Badges:
  • Silver, 250 points or more

Hi Rick,


The traffic coming via a router that is connected to port 47 (see below) on the switch. I don't manage that router. There is a static route on the switch for that traffic (see below).


interface GigabitEthernet0/47

description Unmanaged Router

switchport access vlan 45

switchport mode access

load-interval 30

speed 100

duplex full

ip route 0.0.0.0 0.0.0.0 10.64.4.1

ip route 10.64.148.0 255.255.255.0 10.64.4.10

ip route 10.80.0.0 255.255.0.0 10.64.4.10

Tshi M Tue, 03/10/2009 - 18:47
User Badges:
  • Silver, 250 points or more

I had a typo but this and the acl are pretty much the relevant lines of the config.


interface GigabitEthernet0/47

description Unmanaged Router

switchport access vlan 4

switchport mode access

load-interval 30

speed 100

duplex full


ip route 0.0.0.0 0.0.0.0 10.64.4.1

ip route 10.64.148.0 255.255.255.0 10.64.4.10

ip route 10.80.0.0 255.255.0.0 10.64.4.1


line vty 0 4

exec-timeout 45 0

login local

Richard Burts Tue, 03/10/2009 - 19:18
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Etienne


The additional information is quite helpful. It confirms that your attempt to telnet is coming in on VLAN 4.


If you look carefully at the access list there are no statements that specify 10.64.148.0 as a source address. The first statement in the access list which would apply to this traffic from 10.64.148.0 to 10.64.4.254 is this line:

deny ip any 10.64.0.0 0.0.255.255

which clearly denies your attempt to telnet. If you want telnet to work you need to insert a line in the access list which permits the traffic and which comes before this line:

deny ip any 10.64.0.0 0.0.255.255


HTH


Rick

Tshi M Tue, 03/10/2009 - 19:38
User Badges:
  • Silver, 250 points or more

Hi Rick,


My goal is to restrict workstations within VLAN4 going out to some specific servers and ports and not to restrict access in from outside the switch.


Thanks much,

Actions

This Discussion