cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1073
Views
0
Helpful
18
Replies

VLAN Access-list (access-group Traffic in/out)

Tshi M
Level 5
Level 5

I am having a problem that does not make sense to me. I have a switch configured with a single (VLAN4) to which I tried to apply an ACL that will impact traffic coming from worstations in VLAN4.

Once i apply the acl below, I can longer telnet from a host that is sourcing from a remote office nor from the workstations in vlan4.

ip access-list extended vlan4_traffic

permit udp any any eq bootps

permit udp any any eq bootpc

permit ip host 10.64.4.19 10.80.0.0.0 0.0.255.255

permit tcp any 10.80.2.0 0.0.0.255 eq 11141

permit tcp any 10.80.2.0 0.0.0.255 eq 11110

permit tcp any 10.80.2.0 0.0.0.255 eq 11001

permit tcp any 10.80.2.0 0.0.0.255 eq 6010

permit tcp any 10.80.2.0 0.0.0.255 eq 11167

permit tcp any 10.80.2.0 0.0.0.255 eq 17777

permit tcp any 10.80.2.0 0.0.0.255 eq 13183

permit tcp any 10.80.2.0 0.0.0.255 eq 1433

permit tcp any 10.80.2.0 0.0.0.255 eq 11025

permit tcp any any eq 3389

permit ip any host 10.80.2.18

permit ip any host 10.80.2.22

permit ip any 10.80.2.0 0.0.0.255

permit ip any 10.80.3.0 0.0.0.255

permit ip any 10.80.4.0 0.0.0.255

permit icmp any any

permit tcp any any established

deny ip any 10.80.0.0 0.0.255.255

deny ip any 10.64.0.0 0.0.255.255

permit ip any any

int vlan 4

ip address 10.64.4.254 255.255.255.0

ip access-group vlan4_traffic in

This acl I thought should affect incoming traffic from 10.64.4.0/24 subnet only.

18 Replies 18

adamclarkuk_2
Level 4
Level 4

Hi

Can you just give us an example of traffic flow, ie src IP,dst IP, dst port(guessing 23), also, on your deny's add a log entry, then do sh show log to see if they are blocking the traffic.

deny ip any 10.80.0.0 0.0.255.255 log

deny ip any 10.64.0.0 0.0.255.255 log

Hi Adam,

Yes, I already did a log on the ACL that adds to my confusion. In any case, I am trying to telnet from 10.64.148.108 to 10.64.4.54 to no avail once the acl is applied to vlan4.

Traffic from vlan4 should be allowed for what it is on the acl only.

denied tcp 10.64.148.108(2020) -> 10.64.4.254(23), 1 packet

Hi

So, this line is denying the flow :-

deny ip any 10.64.0.0 0.0.255.255

Add this before the deny's

permit tcp any 10.64.4.0 0.0.0.255 eq 23 10.64.0.0 0.0.255.255

Not sure why it's ignoring your line

permit tcp any any established

Hi Adam,

I thought of that but the problem is that we have remote locations all starting with that 10.64.

The ACL shouldn't have any affect with outside incoming traffic as it "SHOULD" only apply to incoming VLAN4 traffic.

What platform is this on mate.

Here it is my friend.

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 52 WS-C3560G-48TS 12.2(46)SE C3560-IPBASEK9-M

Odd, can you apply a permit ip any any log and apply it inbound, then view the logs, it's almost as if it's doing the in/out the wrong way around :-s

You read my mind for it is what i just did. I also changed a line to use log on it to see. The outcome is more confusing. The permit ip any any log, does show some traffic but the line

permit tcp any host 10.200.32.170 eq 11025 log, does not show anything. I applied that acl as "out" rather "in"

Try this one :-

permit ip host 10.64.4.54 host 10.64.148.108 log

permit ip any any

Then apply the ACL inbound, telnet from 10.64.4.54 to 10.64.148.108 and see if you get a hit, then flip it.

only when i used permit ip host 10.64.148.108 host 10.64.4.54 and assign "in" than it works. So, it seems as though the acl should be applied using "out" on this vlan. It doesn't make sense to me.

Nor, me why would the 3560 be different to all the other Cat's when it comes to VLAN ACL's. I wonder if it's a code issue, I have some 3560's I can test with at the office, I will have a go tomoz.

When applying the ACL using the "out" option, it does not seem to have any effects because I don't see any hit counts and some traffic that should be denied seems to pass through.

Etienne

When you change the way that you apply the access list from in to out, you have a very significant change about what is the source address and what is the destination address. Did you re-write the access list when you changed its direction?

Perhaps it would help us if we could see a more complete config. Could you post the config (especially including not only the interface and access list, but also any routing information and the config of the vty lines)?

HTH

Rick

HTH

Rick

Etienne

In re-reading this thread another question occurs to me. Where is the traffic from 10.64.148.108 coming from? How does that traffic get to your switch? Which interface does it arrive on? If we could see the complete config then perhaps we could figure this out.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: