Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
0
Helpful
2
Replies

ACL Config on a catalyst 3550

Go to solution
iancarder
Level 1
Level 1

‎11-20-2009 01:14 PM - edited ‎03-06-2019 08:40 AM

I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:

vlan access-map forward-icmp 20
action forward
match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11

ip access-list extended icmp-h1h2
permit icmp host 192.168.2.4 host 10.1.3.101
permit icmp host 10.1.3.101 host 192.168.2.4
permit tcp any any eq www

Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-20-2009 01:25 PM 

iancarder wrote:
I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:
vlan access-map forward-icmp 20
 action forward
 match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11
ip access-list extended icmp-h1h2
 permit icmp host 192.168.2.4 host 10.1.3.101
 permit icmp host 10.1.3.101 host 192.168.2.4
 permit tcp any any eq www
Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?
Thanks in advance.

I don't have a 3550 to hand to test with so i may be wrong but vlan maps do not have a direction. So your traffic going from Host A to the web server is allowed because of the "permit tcp any any eq www" line in our acl. But the return traffic will be dropped because there is no matching line. Try adding this to the acl

permit tcp any eq 80 any

Jon

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎11-20-2009 01:25 PM 

iancarder wrote:
I'm playing around with vlan ACLs on a 3550.  Here is a snippet of my config:
vlan access-map forward-icmp 20
 action forward
 match ip address icmp-h1h2
vlan filter forward-icmp vlan-list 11
ip access-list extended icmp-h1h2
 permit icmp host 192.168.2.4 host 10.1.3.101
 permit icmp host 10.1.3.101 host 192.168.2.4
 permit tcp any any eq www
Host A(192.168.2.4) is in VLAN 11 and Host B(10.1.3.101) is in VLAN 10.  I can ping between 192.168.2.4 and 10.1.3.101.  However if I try to navigate to http://10.1.1.7 from Host A, I get a timeout.  Shouldn't the "permit tcp any any eq www" command allow me to navigate to that web server over the standard port 80?
Thanks in advance.

I don't have a 3550 to hand to test with so i may be wrong but vlan maps do not have a direction. So your traffic going from Host A to the web server is allowed because of the "permit tcp any any eq www" line in our acl. But the return traffic will be dropped because there is no matching line. Try adding this to the acl

permit tcp any eq 80 any

Jon

0 Helpful

Go to solution
iancarder
Level 1
Level 1
In response to Jon Marshall

‎11-20-2009 01:40 PM

Jon,

Thanks!  That did the trick.  For some reason I thought the eq statement always went on the end of the statement rather than after the host/network/any.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card