ACL Config on a catalyst 3550

Answered Question
Nov 20th, 2009
User Badges:

I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:


vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11


ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www


Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?


Thanks in advance.

Correct Answer by Jon Marshall about 7 years 6 months ago

iancarder wrote:


I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:


vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11


ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www


Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?


Thanks in advance.


I don't have a 3550 to hand to test with so i may be wrong but vlan maps do not have a direction. So your traffic going from Host A to the web server is allowed because of the "permit tcp any any eq www" line in our acl. But the return traffic will be dropped because there is no matching line. Try adding this to the acl


permit tcp any eq 80 any


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 11/20/2009 - 13:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

iancarder wrote:


I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:


vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11


ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www


Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?


Thanks in advance.


I don't have a 3550 to hand to test with so i may be wrong but vlan maps do not have a direction. So your traffic going from Host A to the web server is allowed because of the "permit tcp any any eq www" line in our acl. But the return traffic will be dropped because there is no matching line. Try adding this to the acl


permit tcp any eq 80 any


Jon

iancarder Fri, 11/20/2009 - 13:40
User Badges:

Jon,


Thanks!  That did the trick.  For some reason I thought the eq statement always went on the end of the statement rather than after the host/network/any.

Actions

This Discussion