Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is it possible to insert ACL on CAT6500

Dear All,

I have CAT 6500 switch Is it possible to include the ACL for extended TEST access-list

interface Vlan10
description [Test]
ip address 10.0.0.1 255.255.255.0
ip access-group TEST in
no ip redirects
no ip mroute-cache
ip ospf cost 1
ip ospf priority 25
standby 56 ip 10.0.0.2
standby 56 preempt

ip access-list extended TEST

permit ip any 172.16.20.0 0.0.0.255

deny   ip any any log

6 REPLIES
Hall of Fame Super Silver

Re: Is it possible to insert ACL on CAT6500

Hello Balaj Rajah Pb,

please note that if you have OSPF neighbors on Vlan 10 the proposed ACL will make impossible to keep OSPF adiacencies up.

you need to allow also OSPF traffic with multicast destination 224.0.0.5 and 224.0.0.6 or you are going to discard OSPF hello packets!

you need a line like

permit ospf 10.0.0.0 0.0.0.255 any

before last deny

Also the same concept applies to HSRP or you are going to discard HSRP messages from other routers part of HSRP group

in this case we need to consider that HSRP uses UDP 1985 and 224.0.0.2 as destination address so you need another line like

permit udp 10.0.0.0 0.0.0.255 host 224.0.0.2 eq 1485

>> he standby protocol runs on top of UDP, and uses port number 1985.

 

  Packets are sent to multicast address 224.0.0.2 with TTL 1.

see
http://www.faqs.org/rfcs/rfc2281.html

so you need at least

ip access-list extended TEST

permit ospf 10.0.0.0 0.0.0.255 any

permit udp 10.0.0.0 0.0.0.255 host 224.0.0.2 eq 1485

permit ip any 172.16.20.0 0.0.0.255

deny   ip any any log

Hope to help

Giuseppe

New Member

Re: Is it possible to insert ACL on CAT6500

Hi giuslar,

I want to include the ACL without removing the access group applied to the VLAN will that be possible.

Regards

BR

Hall of Fame Super Silver

Re: Is it possible to insert ACL on CAT6500

Hello Balaji RajahPb,

>> I want to include the ACL without removing the access group applied to the VLAN will that be possible.

Do you mean that you would like to modify the ACL without removing the access-group in SVI configuration ?

this is possible but it is not recommended.

Also note that your proposed ACL can have big impact on the network by denying OSPF and HSRP messages  as I noted in my previous post so you may be disturbing your network if the ACL is already applied

Hope to help

Giuseppe

Hall of Fame Super Blue

Re: Is it possible to insert ACL on CAT6500

balajirajahpb wrote:

Dear All,

I have CAT 6500 switch Is it possible to include the ACL for extended TEST access-list

interface Vlan10
description [Test]
ip address 10.0.0.1 255.255.255.0
ip access-group TEST in
no ip redirects
no ip mroute-cache
ip ospf cost 1
ip ospf priority 25
standby 56 ip 10.0.0.2
standby 56 preempt

ip access-list extended TEST

permit ip any 172.16.20.0 0.0.0.255

deny   ip any any log

It's not clear what you want to do. What do you mean insert ACL, do you mean insert a line into the acl without having to remove it from the interface ?

Jon

New Member

Re: Is it possible to insert ACL on CAT6500

I mean insert a line into the acl without having to remove it from the interface

Regards

Balajirajah P B

Bronze

Re: Is it possible to insert ACL on CAT6500

Yes, you can, but it could be disruptive.

You can do a "show ip access-lists TEST" to reveal the sequence numbers.  The you can modify it by inserting a new sequence number, or removing an existing one.

Here's a guide on modifying an ACL by using sequence numbers.

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_refine_IP_al_ps6017_TSD_Products_Configuration_Guide_Chapter.html#wp1027258

Dan

209
Views
0
Helpful
6
Replies
CreatePlease login to create content