07-17-2012 06:27 AM - edited 03-07-2019 07:49 AM
Hey all. We are setup like a hotel style workers camp. We have wings full of rooms and residents with 3750 stacks in them. Those switches connect back to our core 6500's. The network is mostly all Layer 3, interfaces are routed with IPs.
When it was built before my time they included an ACL for each wing so that residents couldn't access internal devices (IE SSH to 6500) but I've come to notice it's not working.
I see hits on the ACL for accepts but nothing is hitting the deny rule at the top.
Thanks
Chris
Here is the configuration below:
mls qos aggregate-policer INTERNET1 24000000 80000 80000 conform-action transmit exceed-action drop
mls qos aggregate-policer INTERNET2 24000000 80000 80000 conform-action transmit exceed-action drop
mls qos aggregate-policer INTERNET 24000000 80000 80000 conform-action transmit exceed-action drop
mls qos
mls netflow interface
no mls acl tcam share-global
mls cef error action freeze
class-map match-all CORE
match access-group 105
class-map match-all POD-B
match access-group 102
class-map match-all POD-C
match access-group 103
class-map match-all POD-A
match access-group 101
!
!
policy-map INTERNET
class POD-A
police aggregate INTERNET
policy-map INTERNET3
class CORE
police cir 8000000 bc 250000 be 250000 conform-action transmit exceed-action drop violate-action drop
policy-map INTERNET2
class POD-C
police aggregate INTERNET2
policy-map INTERNET1
class POD-B
police aggregate INTERNET1
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.11.1.0 0.0.0.255 any
access-list 101 permit ip 10.12.1.0 0.0.0.255 any
access-list 101 permit ip 10.13.1.0 0.0.0.255 any
access-list 101 permit ip 10.14.1.0 0.0.0.255 any
access-list 101 permit ip 10.15.1.0 0.0.0.255 any
access-list 101 permit ip 10.16.1.0 0.0.0.255 any
access-list 101 permit ip 10.17.1.0 0.0.0.255 any
access-list 102 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.21.1.0 0.0.0.255 any
access-list 102 permit ip 10.22.1.0 0.0.0.255 any
access-list 102 permit ip 10.23.1.0 0.0.0.255 any
access-list 102 permit ip 10.24.1.0 0.0.0.255 any
access-list 102 permit ip 10.25.1.0 0.0.0.255 any
access-list 102 permit ip 10.26.1.0 0.0.0.255 any
access-list 102 permit ip 10.27.1.0 0.0.0.255 any
access-list 102 permit ip 10.28.1.0 0.0.0.255 any
access-list 103 deny ip host 10.32.1.73 host 10.47.2.6
access-list 103 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 103 permit ip 10.31.1.0 0.0.0.255 any
access-list 103 permit ip 10.32.1.0 0.0.0.255 any
access-list 103 permit ip 10.33.1.0 0.0.0.255 any
access-list 103 permit ip 10.34.1.0 0.0.0.255 any
access-list 103 permit ip 10.35.1.0 0.0.0.255 any
access-list 103 permit ip 10.36.1.0 0.0.0.255 any
access-list 103 permit ip 10.37.1.0 0.0.0.255 any
access-list 103 permit ip 10.38.1.0 0.0.0.255 any
access-list 103 permit ip 10.39.1.0 0.0.0.255 any
access-list 103 permit ip 10.30.1.0 0.0.0.255 any
access-list 103 permit ip 10.44.4.0 0.0.0.63 any
access-list 103 permit ip 10.44.4.128 0.0.0.63 any
access-list 105 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 105 permit ip 10.44.3.0 0.0.0.255 any
access-list 105 permit ip 10.44.6.0 0.0.0.255 any
access-list 105 permit ip 10.45.3.0 0.0.0.255 any
access-list 105 permit ip 10.48.2.0 0.0.0.255 any
access-list 105 permit ip 10.48.4.0 0.0.0.255 any
access-list 105 permit ip 10.48.5.0 0.0.0.255 any
interface GigabitEthernet1/2
description LINK TO AVAC3750SB G1/0/1
ip address 10.1.0.9 255.255.255.252
ip wccp web-cache redirect in
service-policy input INTERNET
interface GigabitEthernet1/15
description LINK TO AVBC3750SO G1/0/1
ip address 10.1.0.113 255.255.255.252
ip wccp web-cache redirect in
service-policy input INTERNET1
interface GigabitEthernet1/18
description LINK TO AVCC3750SR G1/0/1
ip address 10.1.0.137 255.255.255.252
ip wccp web-cache redirect in
service-policy input INTERNET2
Extended IP access list 101
10 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
20 permit ip 10.11.1.0 0.0.0.255 any (124361 matches)
30 permit ip 10.12.1.0 0.0.0.255 any (142924 matches)
40 permit ip 10.13.1.0 0.0.0.255 any (133540 matches)
50 permit ip 10.14.1.0 0.0.0.255 any (211299 matches)
60 permit ip 10.15.1.0 0.0.0.255 any (181643 matches)
70 permit ip 10.16.1.0 0.0.0.255 any (137699 matches)
80 permit ip 10.17.1.0 0.0.0.255 any (236942 matches)
Extended IP access list 102
10 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
20 permit ip 10.21.1.0 0.0.0.255 any (148195 matches)
30 permit ip 10.22.1.0 0.0.0.255 any (130446 matches)
40 permit ip 10.23.1.0 0.0.0.255 any (213036 matches)
50 permit ip 10.24.1.0 0.0.0.255 any (196933 matches)
60 permit ip 10.25.1.0 0.0.0.255 any (196859 matches)
70 permit ip 10.26.1.0 0.0.0.255 any (464560 matches)
80 permit ip 10.27.1.0 0.0.0.255 any (151046 matches)
90 permit ip 10.28.1.0 0.0.0.255 any (171773 matches)
Extended IP access list 103
10 deny ip host 10.32.1.73 host 10.47.2.6
20 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
30 permit ip 10.31.1.0 0.0.0.255 any (254697 matches)
40 permit ip 10.32.1.0 0.0.0.255 any (118797 matches)
50 permit ip 10.33.1.0 0.0.0.255 any (183682 matches)
60 permit ip 10.34.1.0 0.0.0.255 any (57339 matches)
70 permit ip 10.35.1.0 0.0.0.255 any (77335 matches)
80 permit ip 10.36.1.0 0.0.0.255 any (27874 matches)
90 permit ip 10.37.1.0 0.0.0.255 any (50542 matches)
Solved! Go to Solution.
07-17-2012 06:39 AM
On the this case, the deny ACEs are instructing the operating system to ignore flows between subnets from being policed.
They aren't security ACLs thus no counter will be created on this case.
If you want to protect the switch from remote management, I recommend placing security ACLs under the VTY line.
07-17-2012 06:37 AM
I'm wondering if this is it?
20 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Is this stating that 10.1.1.x can't get to 10.2.2.x but could get to 10.3.x.x ? Meaning just class C? Sorry if I'm confusing, used to ASA ACLs.
07-17-2012 06:39 AM
On the this case, the deny ACEs are instructing the operating system to ignore flows between subnets from being policed.
They aren't security ACLs thus no counter will be created on this case.
If you want to protect the switch from remote management, I recommend placing security ACLs under the VTY line.
07-17-2012 06:42 AM
Ok thanks.
What I want is to not allow access to anything on 10.x.x.x unless I specifiy to allow it. They only need access to a few things on the network, everything else is just internet.
IE: bootp/dhcp, internet web servers, etc.
07-17-2012 06:46 AM
So I could just do another ACL up and then apply it to the interfaces for the extra stuff I want to block. Just apply access-group (ACL) to the interface.
07-17-2012 06:46 AM
You will need to create security ACLs independent of this QoS configuration you've provided.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide