Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACLs on CAT6500

I am getting strange results while applying ACLs on the Cat6500 Vlans. I am not able to understand the usage and difference between IN/OUT and whether it is used in the same manner.

Is Cat6500 ACL similar to Router IOS ACLs or do they work differently.

A brief example of ACL (in/out) across SVI's will be helpful.

Please assist.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: ACLs on CAT6500

Hello Cisco_Lite,

your ACL is just permitting http traffic from host 10.5.5.10 to 192.168.1.10 on tcp port 80 (server side is on 192.168.1.10)

There is an implicit deny ip any any so you apply the ACL you then cannot ping or telnet to an host in vlan10.

to do that you need to add

permit tcp 10.5.5.0 0.0.0.255 eq 23 any

! telnet side on host )

permit icmp 10.5.5.0 0.0.0.255 any

if you add these two lines you should be able to ping and to telnet to every host in vlan10.

in addition only host 10.5.5.10 can access a web page and only on host 192.168.1.10

in: means traffic entering on the SVI from the user side so traffic received.

at layer3 nothing change from a normal routed port on a router.

Hope to help

Giuseppe

19 REPLIES
Purple

Re: ACLs on CAT6500

Its the same as any other interface , out means towards the user subnet , in means coming into the 6500 from the users .

Re: ACLs on CAT6500

Hi

This used to confuse me as well. But SVI's are no different from normal interfaces.

Take SVI 10 as an example

interface Vlan10

ip address 10.0.0.1 255.255.255.0

ip access-group vlantest in

ip access-list extended vlantest

permit icmp 10.0.0.0 0.0.0.255 any

You can see that this ACL has been applied inbound and when I ping from host 10.0.0.2 to any other IP address (172.16.0.1 in this case ) you will see the hit count going up as below :-

R0#sh ip access-lists

Extended IP access list vlantest

10 permit icmp 10.0.0.0 0.0.0.255 any (15 matches)

Hope that helps

New Member

Re: ACLs on CAT6500

I am still finding it difficult to grasp

interface Vlan10

ip address 10.5.5.2 255.255.255.0

ip access-group VLAN10ACL in

Extended IP access list VLA10ACL

1 permit tcp 10.5.5.10 host 192.168.1.10 eq www

Now when I ping/telnet from outside to a host in VLAN10, it fails. But when I remove 'ip access-group VLAN10ACL' from the interface or put in 'permit ip any any', it works.

Isn't my ping/telnet an 'OUT' traffic, i.e. going to the VLAN10 subnet rather than 'IN'

What is the reason ?

Scratching my head ...

New Member

Re: ACLs on CAT6500

Are there any ACL bugs in Cat6500.

The CAT6500 version is

Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXH3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Thu 24-Jul-08 19:18 by prod_rel_team

ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)

Re: ACLs on CAT6500

Hi Cisco_lite

If you have a CCO login, you can check the bug track under the support section to see if that version of IOS has any issues.

Re: ACLs on CAT6500

You are right it is going out bound, but must go into the SVI first right.

An SVI is just a virtual interface that you are sending the icmp echo request into first to be processed. The icmp echo reply is sent back 'out' to your host.

echo request

host (out)---> (in)VLAN10 -Routing process---> Fe1/0 (out)---> (in) end host

echo reply

end host (out)---> (in)Fe1/0 -Routing process--> VLAN10 (out)---> (in)host

Any clearer ?????

New Member

Re: ACLs on CAT6500

Do you mean that even though the traffic (ping) is initiated from one end only, the ACL will be applied in both directions as in your example.

So, with my configuration, the ACL is checked twice i.e.

echo request (in) VLAN10 &

echo reply (out) VLAN10

Re: ACLs on CAT6500

Exactly.

If you want to see this in action, add a deny log entry to the end of the acl's applied in both directions, then check your logging with the show log command( as long as you have logging enabled that is ), debug ip packet with the same acl's will also be useful ( unless your using cef switching then your debug will show nothing unless the traffic is sourced or destinted for that router or your have cef disabled for that incoming interface ).

New Member

Re: ACLs on CAT6500

So in your example shouldn't it be

echo reply

end host (IN)---> (in)Fe1/0 -Routing process--> VLAN10 (out)---> (OUT)host

Please note the difference in end hosts.

If I were to allow or block port 80 from outside, what would be my ACLs look like

(i.e. both IN/OUT)

Lastly, if I define IN ACL do I also have to define OUT ACL to avoid default deny ip any any due to presence of IN ACL (which is what I am experiencing). Meaning, would I always have to define IN/OUT to apply policies.

I have observed that if I were to open a port on IN then the same has to be opened on the OUT but on the source port. And if I were to open a port on OUT then the same has to be opened on the IN on the source port.

Please advise.

Thanks

Re: ACLs on CAT6500

Hi cisco_lite

Can you dump your config for me to look at ?

Hall of Fame Super Silver

Re: ACLs on CAT6500

Hello Cisco_Lite,

your ACL is just permitting http traffic from host 10.5.5.10 to 192.168.1.10 on tcp port 80 (server side is on 192.168.1.10)

There is an implicit deny ip any any so you apply the ACL you then cannot ping or telnet to an host in vlan10.

to do that you need to add

permit tcp 10.5.5.0 0.0.0.255 eq 23 any

! telnet side on host )

permit icmp 10.5.5.0 0.0.0.255 any

if you add these two lines you should be able to ping and to telnet to every host in vlan10.

in addition only host 10.5.5.10 can access a web page and only on host 192.168.1.10

in: means traffic entering on the SVI from the user side so traffic received.

at layer3 nothing change from a normal routed port on a router.

Hope to help

Giuseppe

New Member

Re: ACLs on CAT6500

I have applied the access-list to SVI and the applications are now working. However, I can see some denied packets in the log. I have configured GLBP on the SVI's. Please advise what are these packets on UDP port 137,138,1985, 68, 67 etc.

Feb 27 16:34:29.890 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.31(42) -> 224.0.1.24(42), 1 packet

Feb 27 16:43:12.094 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.11(138) -> 192.168.10.255(138), 1 packet

Feb 27 16:44:12.122 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.32(138) -> 192.168.10.255(138), 1 packet

Feb 27 16:44:12.122 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.13(138) -> 192.168.10.255(138), 1 packet

Feb 27 16:45:12.150 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.32(137) -> 192.168.10.255(137), 1 packet

Feb 27 16:46:12.179 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.12(137) -> 192.168.10.255(137), 1 packet

Feb 27 16:46:12.179 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.31(137) -> 192.168.10.255(137), 1 packet

Feb 27 16:47:12.207 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.14(137) -> 192.168.10.255(137), 1 packet

Feb 27 16:47:12.207 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.3(1985) -> 224.0.0.2(1985), 122 packets

Feb 27 16:47:12.207 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 0.0.0.0(68) -> 255.255.255.255(67), 19 packets

Feb 27 16:49:01.700 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.32(68) -> 255.255.255.255(67), 1 packet

Feb 27 16:49:12.264 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.13(138) -> 192.168.10.255(138), 1 packet

Hall of Fame Super Blue

Re: ACLs on CAT6500

137,138 are Windows filesharing ports

1985 is Hsrp from recollection

67 & 68 are DHCP/BOOTP

Jon

New Member

Re: ACLs on CAT6500

Thanks.

My concern is 1985. I have only configured GLBP. Would blocking 1985 cause any problems.

New Member

Re: ACLs on CAT6500

I got the ACLs right on Cat6500 SVI, but it seems now I am messing it up again.

My understanding is that 'IN' means traffic coming from SVI subnet and 'OUT' means traffic going to SVI subnet.

I am experiencing contrary to it only on one of my VLANs.

Cat6500 has two SVIs. Vlan100 and Vlan200

I have defined ACL 'IN' on Vlan100 only. No ACL is defined for Vlan200.

I would like to ssh into Vlan100/SVI IP from host in Vlan200. I have added the rule as below

permit tcp host 100.0.0.1 eq 22 host 200.0.0.10 (i.e. return traffic)

However, the packets are denied with the following in the log

TCP denied 200.0.0.10(3388) -> 100.0.0.1 (22)

Above denied message seems to be for 'OUT' type ACL only since the source is other subnet. I don't have any 'OUT' ACL on SVI/Vlan200. One thing which is noticeable is that 100.0.0.1 is the interface IP. Would interface IPs be treated differently with regards to ACL.

Please assist.

Thanks.

Hall of Fame Super Blue

Re: ACLs on CAT6500

Can you post

1) vlan 10 interface config

2) vlan 20 interface config

3) access-list applied to vlan 10

4) line vty config

Jon

New Member

Re: ACLs on CAT6500

1)

interface Vlan100

ip address 100.0.0.1 255.255.255.0

ip access-group VLAN100IN in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

standby 100 ip 100.0.0.3

end

2)

interface Vlan200 -> (Assigned to FWSM outside as well)

ip address 200.0.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip flow ingress

standby 200 ip 200.0.0.3

end

ip nat inside source list 100 interface Vlan100 overload

access-list 100 permit ip host 200.0.0.10 host 100.0.0.11 (not SVI IP-some other host)

3)

ip access-list extended VLAN100IN

10 permit tcp host 100.0.0.1 eq 22 any -> (Source is SVI IP)

500 deny ip any any log

Upon ssh from 200.0.0.10 to 100.0.0.1 I get

Mar 6 11:14:35.205 PST: %SEC-6-IPACCESSLOGP: list VLAN100IN denied tcp 200.0.0.10(3387) -> 100.0.0.1(22)

4)

line vty 0 4

access-class ssh in

exec-timeout 60 0

transport input ssh

line vty 5 15

access-class ssh in

exec-timeout 60 0

transport input ssh

ip access-list extended ssh

permit tcp host 200.0.0.10 any eq 22

Thanks.

Hall of Fame Super Silver

Re: ACLs on CAT6500

Hello Cisco_Lite,

What if you write acl VLAN100IN as

permit tcp any host 100.0.0.1 eq 22

from the point of view of SVI Vlan100 inbound the SSH session is destined to 100.0.0.1 not sourced by

Hope to help

Giuseppe

New Member

Re: ACLs on CAT6500

Yes, it works that way. But is it not deviating from the understanding that 'IN' means traffic 'FROM' the SVI subnet and not 'TO'. In that case, source should always be on the ACL SVI subnet.

All my other VLAN ACL configurations works correctly only with IN being as from ACL SVI subnet.

Is it different because, here we are dealing with access to SVI IP and not a host within that SVI.

525
Views
5
Helpful
19
Replies
CreatePlease to create content