07-01-2010 11:09 PM - edited 03-06-2019 11:52 AM
Hi
I had a strange problem with 6513 switches
we have two 6513 switches. I removed access-list100 and modified in 2nd switch no problem for me, but when I did that in first switch, it went down and I connected console cable and I copied from startup-config and it cameup. both switches are having same configs (HSRP). that too those access-list is nothing to do with other network, these access-list are created for wireless network. can any one help me on this.
07-01-2010 11:16 PM
Hi
I had a strange problem with 6513 switches
we have two 6513 switches. I removed access-list100 and modified in 2nd switch no problem for me, but when I did that in first switch, it went down and I connected console cable and I copied from startup-config and it cameup. both switches are having same configs (HSRP). that too those access-list is nothing to do with other network, these access-list are created for wireless network. can any one help me on this.
Can you paste the acl config which was modified and applied on cisco switch ?
Ganesh.H
07-02-2010 12:06 AM
access-list 100 deny ip host 172.25.32.1 any
access-list 100 deny ip host 172.25.33.1 any
access-list 100 deny ip host 172.25.66.1 any
access-list 100 deny ip host 172.25.67.1 any
access-list 100 deny ip host 172.25.98.1 any
access-list 100 deny ip host 172.25.99.1 any
access-list 100 deny udp 172.25.32.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 deny udp 172.25.66.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 deny udp 172.25.98.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 permit ip 172.25.32.0 0.0.1.255 any
access-list 100 permit ip 172.25.66.0 0.0.1.255 any
access-list 100 permit ip 172.25.98.0 0.0.1.255 any
access-list 100 deny ip host 172.25.78.1 any
access-list 100 deny ip host 172.25.77.1 any
access-list 100 deny udp 172.25.76.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 permit ip 172.25.76.0 0.0.1.255 any
access-list 100 deny ip host 172.25.130.1 any
access-list 100 permit ip 172.25.130.0 0.0.1.255 any
access-list 100 deny ip 172.25.130.0 0.0.1.255 any
changes
I gave no access-list 100 and I left last 2 lines and pasted in switch 2 there is no problem
when I gave no access-list 100, switch went down
I have removed
access-list 100 permit ip 172.25.130.0 0.0.1.255 any
access-list 100 deny ip 172.25.130.0 0.0.1.255 any
07-02-2010 01:20 AM
access-list 100 deny ip host 172.25.32.1 any
access-list 100 deny ip host 172.25.33.1 any
access-list 100 deny ip host 172.25.66.1 any
access-list 100 deny ip host 172.25.67.1 any
access-list 100 deny ip host 172.25.98.1 any
access-list 100 deny ip host 172.25.99.1 any
access-list 100 deny udp 172.25.32.0 0.0.1.255 host 172.25.1.133 eq bootpsaccess-list 100 deny udp 172.25.66.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 deny udp 172.25.98.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 permit ip 172.25.32.0 0.0.1.255 any
access-list 100 permit ip 172.25.66.0 0.0.1.255 any
access-list 100 permit ip 172.25.98.0 0.0.1.255 any
access-list 100 deny ip host 172.25.78.1 any
access-list 100 deny ip host 172.25.77.1 any
access-list 100 deny udp 172.25.76.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 permit ip 172.25.76.0 0.0.1.255 any
access-list 100 deny ip host 172.25.130.1 any
access-list 100 permit ip 172.25.130.0 0.0.1.255 any
access-list 100 deny ip 172.25.130.0 0.0.1.255 anychanges
I gave no access-list 100 and I left last 2 lines and pasted in switch 2 there is no problem
when I gave no access-list 100, switch went down
I have removed
access-list 100 permit ip 172.25.130.0 0.0.1.255 any
access-list 100 deny ip 172.25.130.0 0.0.1.255 any
With no access-list 100 you are removing the whole acl 100 from switch configuration and the last 2 line i dont think it will be of use as one for permitting and another for deny, once you have permitted in ip layer ther no need for deny statement afterwards for same source.
and switch went down , you mean to say totally shutdown or out of network reach. I hope it will will out your network genarally from where the traffic is intiated like source.Is there any other acl apart from 100 which says deny network 172.25.130.0. because as soon as u deleted the acl switch has gone down hopefully the traffic from where you were accessing the switch is been blocked or some routing problem for the partucular subnet.
Hope to Help !!
Ganesh.H
07-02-2010 02:17 AM
This access-list is ment only for wirless ineternet connection. I agree with you it subnet which is in access-list will not work since I gave no access-list, ut entire switch went down. am not able to access other vlan example 172.25.140.0,172.25.6.0 these network is not in this access-list. as you said it should have affected other switch as well. but other switch is working wilth a config, we are using HSRP for VLAN, but that switch was working. I think there is a issue on switch, we had a VLAN creation problem in our one of 4500 supervisor module. I think it would have same think like that I will log a call with cisco and i will update in this forum. many thanks ganesh iyer.
07-05-2010 04:50 PM
Hi
I think I found a answer. am not sure
"An outbound access list applies the filter conditions after the routing table lookup". (I found this in cisco website)
still not convinced with this answer. because the access-list which I have pasted before should afftect that network alone
my understanding in above statement is if it is outbound network first it will look for routing table and then it will look for access-list. if that is the case I am wondering why it is bringing down entire network.
can any help me please
07-06-2010 12:01 AM
Hi,
Its not a problem but its the way ,, its gonna work all the times..
Have you noticed that when you removed the ACL 100 or watever, the access-list was still applied to the interface.. was it??
If yes, than it will deny any packets using implicit deny at the end, even if the access-list doesnt exist but applied on the interface.
So normal method of configuring ACL is
create ACL
apply on the interface
modify acl directly ( if only lines are added or removed)
if you want to remove ACL from config, remove it first from the interface and then remove from the config. Because it doesnt makes any sense to apply the ACL on the interface first and then create the ACL.
HTH
Hitesh Vinzoda
Pls rate useful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide