Re: Is it possible to insert ACL on CAT6500

balajirajahpb · ‎10-08-2010

Dear All,

I have CAT 6500 switch Is it possible to include the ACL for extended TEST access-list

interface Vlan10
description [Test]
ip address 10.0.0.1 255.255.255.0
ip access-group TEST in
no ip redirects
no ip mroute-cache
ip ospf cost 1
ip ospf priority 25
standby 56 ip 10.0.0.2
standby 56 preempt

ip access-list extended TEST

permit ip any 172.16.20.0 0.0.0.255

deny ip any any log

Giuseppe Larosa · ‎10-08-2010

Hello Balaj Rajah Pb,

please note that if you have OSPF neighbors on Vlan 10 the proposed ACL will make impossible to keep OSPF adiacencies up.

you need to allow also OSPF traffic with multicast destination 224.0.0.5 and 224.0.0.6 or you are going to discard OSPF hello packets!

you need a line like

permit ospf 10.0.0.0 0.0.0.255 any

before last deny

Also the same concept applies to HSRP or you are going to discard HSRP messages from other routers part of HSRP group

in this case we need to consider that HSRP uses UDP 1985 and 224.0.0.2 as destination address so you need another line like

permit udp 10.0.0.0 0.0.0.255 host 224.0.0.2 eq 1485

>> he standby protocol runs on top of UDP, and uses port number 1985.

 

  Packets are sent to multicast address 224.0.0.2 with TTL 1.

see
http://www.faqs.org/rfcs/rfc2281.html

so you need at least

ip access-list extended TEST

permit ospf 10.0.0.0 0.0.0.255 any

permit udp 10.0.0.0 0.0.0.255 host 224.0.0.2 eq 1485

permit ip any 172.16.20.0 0.0.0.255

deny ip any any log

Hope to help

Giuseppe

balajirajahpb · ‎10-08-2010

Hi giuslar,

I want to include the ACL without removing the access group applied to the VLAN will that be possible.

Regards

BR

Giuseppe Larosa · ‎10-08-2010

Hello Balaji RajahPb,

>> I want to include the ACL without removing the access group applied to the VLAN will that be possible.

Do you mean that you would like to modify the ACL without removing the access-group in SVI configuration ?

this is possible but it is not recommended.

Also note that your proposed ACL can have big impact on the network by denying OSPF and HSRP messages as I noted in my previous post so you may be disturbing your network if the ACL is already applied

Hope to help

Giuseppe

Jon Marshall · ‎10-08-2010

balajirajahpb wrote:

Dear All,

I have CAT 6500 switch Is it possible to include the ACL for extended TEST access-list

interface Vlan10
description [Test]
ip address 10.0.0.1 255.255.255.0
ip access-group TEST in
no ip redirects
no ip mroute-cache
ip ospf cost 1
ip ospf priority 25
standby 56 ip 10.0.0.2
standby 56 preempt

ip access-list extended TEST

permit ip any 172.16.20.0 0.0.0.255

deny ip any any log

It's not clear what you want to do. What do you mean insert ACL, do you mean insert a line into the acl without having to remove it from the interface ?

Jon

balajirajahpb · ‎10-08-2010

I mean insert a line into the acl without having to remove it from the interface

Regards

Balajirajah P B

danrya · ‎10-08-2010

Yes, you can, but it could be disruptive.

You can do a "show ip access-lists TEST" to reveal the sequence numbers. The you can modify it by inserting a new sequence number, or removing an existing one.

Here's a guide on modifying an ACL by using sequence numbers.

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_refine_IP_al_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1027258

Dan