ACL Config on a catalyst 3550

Answered Question
Nov 20th, 2009

I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:

vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11

ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www

Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 2 months ago

iancarder wrote:

I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:

vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11

ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www

Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?

Thanks in advance.

I don't have a 3550 to hand to test with so i may be wrong but vlan maps do not have a direction. So your traffic going from Host A to the web server is allowed because of the "permit tcp any any eq www" line in our acl. But the return traffic will be dropped because there is no matching line. Try adding this to the acl

permit tcp any eq 80 any

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 11/20/2009 - 13:25

iancarder wrote:

I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:

vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11

ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www

Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?

Thanks in advance.

I don't have a 3550 to hand to test with so i may be wrong but vlan maps do not have a direction. So your traffic going from Host A to the web server is allowed because of the "permit tcp any any eq www" line in our acl. But the return traffic will be dropped because there is no matching line. Try adding this to the acl

permit tcp any eq 80 any

Jon

iancarder Fri, 11/20/2009 - 13:40

Jon,

Thanks!  That did the trick.  For some reason I thought the eq statement always went on the end of the statement rather than after the host/network/any.

Actions

This Discussion