Solved: 6500 ACL using QoS not working.

cshannahan · ‎07-17-2012

Hey all. We are setup like a hotel style workers camp. We have wings full of rooms and residents with 3750 stacks in them. Those switches connect back to our core 6500's. The network is mostly all Layer 3, interfaces are routed with IPs.

When it was built before my time they included an ACL for each wing so that residents couldn't access internal devices (IE SSH to 6500) but I've come to notice it's not working.

I see hits on the ACL for accepts but nothing is hitting the deny rule at the top.

Thanks

Chris

Here is the configuration below:

mls qos aggregate-policer INTERNET1 24000000 80000 80000 conform-action transmit exceed-action drop

mls qos aggregate-policer INTERNET2 24000000 80000 80000 conform-action transmit exceed-action drop

mls qos aggregate-policer INTERNET 24000000 80000 80000 conform-action transmit exceed-action drop

mls qos

mls netflow interface

no mls acl tcam share-global

mls cef error action freeze

class-map match-all CORE

match access-group 105

class-map match-all POD-B

match access-group 102

class-map match-all POD-C

match access-group 103

class-map match-all POD-A

match access-group 101

!

policy-map INTERNET

class POD-A

police aggregate INTERNET

policy-map INTERNET3

class CORE

police cir 8000000 bc 250000 be 250000 conform-action transmit exceed-action drop violate-action drop

policy-map INTERNET2

class POD-C

police aggregate INTERNET2

policy-map INTERNET1

class POD-B

police aggregate INTERNET1

access-list 101 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip 10.11.1.0 0.0.0.255 any

access-list 101 permit ip 10.12.1.0 0.0.0.255 any

access-list 101 permit ip 10.13.1.0 0.0.0.255 any

access-list 101 permit ip 10.14.1.0 0.0.0.255 any

access-list 101 permit ip 10.15.1.0 0.0.0.255 any

access-list 101 permit ip 10.16.1.0 0.0.0.255 any

access-list 101 permit ip 10.17.1.0 0.0.0.255 any

access-list 102 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 102 permit ip 10.21.1.0 0.0.0.255 any

access-list 102 permit ip 10.22.1.0 0.0.0.255 any

access-list 102 permit ip 10.23.1.0 0.0.0.255 any

access-list 102 permit ip 10.24.1.0 0.0.0.255 any

access-list 102 permit ip 10.25.1.0 0.0.0.255 any

access-list 102 permit ip 10.26.1.0 0.0.0.255 any

access-list 102 permit ip 10.27.1.0 0.0.0.255 any

access-list 102 permit ip 10.28.1.0 0.0.0.255 any

access-list 103 deny ip host 10.32.1.73 host 10.47.2.6

access-list 103 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 103 permit ip 10.31.1.0 0.0.0.255 any

access-list 103 permit ip 10.32.1.0 0.0.0.255 any

access-list 103 permit ip 10.33.1.0 0.0.0.255 any

access-list 103 permit ip 10.34.1.0 0.0.0.255 any

access-list 103 permit ip 10.35.1.0 0.0.0.255 any

access-list 103 permit ip 10.36.1.0 0.0.0.255 any

access-list 103 permit ip 10.37.1.0 0.0.0.255 any

access-list 103 permit ip 10.38.1.0 0.0.0.255 any

access-list 103 permit ip 10.39.1.0 0.0.0.255 any

access-list 103 permit ip 10.30.1.0 0.0.0.255 any

access-list 103 permit ip 10.44.4.0 0.0.0.63 any

access-list 103 permit ip 10.44.4.128 0.0.0.63 any

access-list 105 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 105 permit ip 10.44.3.0 0.0.0.255 any

access-list 105 permit ip 10.44.6.0 0.0.0.255 any

access-list 105 permit ip 10.45.3.0 0.0.0.255 any

access-list 105 permit ip 10.48.2.0 0.0.0.255 any

access-list 105 permit ip 10.48.4.0 0.0.0.255 any

access-list 105 permit ip 10.48.5.0 0.0.0.255 any

interface GigabitEthernet1/2

description LINK TO AVAC3750SB G1/0/1

ip address 10.1.0.9 255.255.255.252

ip wccp web-cache redirect in

service-policy input INTERNET

interface GigabitEthernet1/15

description LINK TO AVBC3750SO G1/0/1

ip address 10.1.0.113 255.255.255.252

ip wccp web-cache redirect in

service-policy input INTERNET1

interface GigabitEthernet1/18

description LINK TO AVCC3750SR G1/0/1

ip address 10.1.0.137 255.255.255.252

ip wccp web-cache redirect in

service-policy input INTERNET2

Extended IP access list 101

10 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

20 permit ip 10.11.1.0 0.0.0.255 any (124361 matches)

30 permit ip 10.12.1.0 0.0.0.255 any (142924 matches)

40 permit ip 10.13.1.0 0.0.0.255 any (133540 matches)

50 permit ip 10.14.1.0 0.0.0.255 any (211299 matches)

60 permit ip 10.15.1.0 0.0.0.255 any (181643 matches)

70 permit ip 10.16.1.0 0.0.0.255 any (137699 matches)

80 permit ip 10.17.1.0 0.0.0.255 any (236942 matches)

Extended IP access list 102

10 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

20 permit ip 10.21.1.0 0.0.0.255 any (148195 matches)

30 permit ip 10.22.1.0 0.0.0.255 any (130446 matches)

40 permit ip 10.23.1.0 0.0.0.255 any (213036 matches)

50 permit ip 10.24.1.0 0.0.0.255 any (196933 matches)

60 permit ip 10.25.1.0 0.0.0.255 any (196859 matches)

70 permit ip 10.26.1.0 0.0.0.255 any (464560 matches)

80 permit ip 10.27.1.0 0.0.0.255 any (151046 matches)

90 permit ip 10.28.1.0 0.0.0.255 any (171773 matches)

Extended IP access list 103

10 deny ip host 10.32.1.73 host 10.47.2.6

20 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

30 permit ip 10.31.1.0 0.0.0.255 any (254697 matches)

40 permit ip 10.32.1.0 0.0.0.255 any (118797 matches)

50 permit ip 10.33.1.0 0.0.0.255 any (183682 matches)

60 permit ip 10.34.1.0 0.0.0.255 any (57339 matches)

70 permit ip 10.35.1.0 0.0.0.255 any (77335 matches)

80 permit ip 10.36.1.0 0.0.0.255 any (27874 matches)

90 permit ip 10.37.1.0 0.0.0.255 any (50542 matches)

Edison Ortiz · ‎07-17-2012

On the this case, the deny ACEs are instructing the operating system to ignore flows between subnets from being policed.

They aren't security ACLs thus no counter will be created on this case.

If you want to protect the switch from remote management, I recommend placing security ACLs under the VTY line.

View solution in original post

cshannahan · ‎07-17-2012

I'm wondering if this is it?

20 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

Is this stating that 10.1.1.x can't get to 10.2.2.x but could get to 10.3.x.x ? Meaning just class C? Sorry if I'm confusing, used to ASA ACLs.

Edison Ortiz · ‎07-17-2012

On the this case, the deny ACEs are instructing the operating system to ignore flows between subnets from being policed.

They aren't security ACLs thus no counter will be created on this case.

If you want to protect the switch from remote management, I recommend placing security ACLs under the VTY line.

cshannahan · ‎07-17-2012

Ok thanks.

What I want is to not allow access to anything on 10.x.x.x unless I specifiy to allow it. They only need access to a few things on the network, everything else is just internet.

IE: bootp/dhcp, internet web servers, etc.

cshannahan · ‎07-17-2012

So I could just do another ACL up and then apply it to the interfaces for the extra stuff I want to block. Just apply access-group (ACL) to the interface.

Edison Ortiz · ‎07-17-2012

You will need to create security ACLs independent of this QoS configuration you've provided.