Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
11
Helpful
4
Replies

newbie frustration with acl on vlan interface

linnea.wren
Level 1
Level 1

‎10-26-2006 06:55 PM - edited ‎03-05-2019 12:28 PM

Hi,

I created a vlan, and want the vlan to be restricted in which other vlans it can communicate with.

Here's what I've done:

.interface Vlan203

. ip address 10.10.203.2 255.255.255.0

. ip access-group 2035 in

. ip access-group 2036 out

. no ip redirects

. no ip proxy-arp

. standby 203 ip 10.10.203.1

. standby 203 priority 50

. standby 203 preempt

.end

.

.sh ip access-l 2035

.Extended IP access list 2035

. 10 permit ip host 10.10.203.5 host 10.10.17.25

. 20 permit ip host 10.10.17.25 host 10.10.203.5

. 30 permit icmp host 10.10.203.5 host 10.10.17.25

. 40 permit icmp host 10.10.17.25 host 10.10.203.5

. 50 deny ip any any (24 matches)

.sh ip access-l 2036

.Extended IP access list 2036

. 10 permit ip host 10.10.203.5 host 10.10.17.25

. 20 permit ip host 10.10.17.25 host 10.10.203.5

. 30 permit icmp host 10.10.203.5 host 10.10.17.25

. 40 permit icmp host 10.10.17.25 host 10.10.203.5

. 50 deny ip any any

Subnets 10.10.203.0 & 10.10.17.0 are in the same vtp domain. They are routed in the core 6509s.

On a workstation with IP address 10.10.203.5 I ping 10.10.17.25.

The pings are successful, but no matches appear in the ACL.

If I change the ACL to deny ip any any, the pings from the workstation are no longer successful, which seems to mean the ACL is doing something.

But why are there no hits on the ACL when it's applied, it is configured to allow icmp, and there are successful pings?

PS - I know the ACLs are identical. I made them identical, but with different numbers, so when I do sh access-list I can differentiate between inbound and outbound matches, and maybe start to get a clue what's going on.

Not that it's done me any good so far...

:)

BTW - Is there any way in IOS to see an individual item listing of what matched? Would the matches get syslogged if syslogging was configured right?

TIA...

Labels:
0 Helpful
4 Replies 4

lgijssel
Level 9
Level 9

‎10-26-2006 11:03 PM

You have done this more or less allright. I believe the issue that you have of not seeing hits on your acl's is some kind of a bug.

Appearently you had problems determining the direction for the traffic. It helps to realize that acl notation is always: source dest. My approach to his is that I use only one access-list in the config for this. Typically I am putting it on the least trusted interface. This will then only block incoming traffic but the net effect of this is the same as using two access-lists.

You may use the keyword "log" on each line where you want the results in the syslog:

access-list 102 deny ip host 10.12.160.7 any log

Regards,

Leo

Mikhail.Galiulin
Level 1
Level 1

‎10-27-2006 04:16 AM

Hi,

I beleive that this "strange" behaviour is NOT the result of software bug.

6500 Series switches process as much traffic as possible in hardware. So you will never get any ACL statistic if the packet was processed this way.

But ACL denied traffic under certain conditions will be processed in software. This explains why you get only denied traffic logged.

You can read more about 6500 ACLs in

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml

Be carefull by the way with logging of matches - sometimes it could load deveces CPU too hard...

//Mikhail Galiulin

linnea.wren
Level 1
Level 1

‎10-31-2006 08:37 AM

thanks to you both - very helpful.

After reading some more, and experimenting with "log" for ACEs, I still have a question:

What other methods/tools do pros use to debug/evaluate/test ACLs?

Obviously one can do various things like ping attempts, telnet attempts, file share access attempts.

But I'm wondering if there aren't more systematic tools/procedures...

Anyone?

0 Helpful

m-haddad
Level 5
Level 5
In response to linnea.wren

‎10-31-2006 12:05 PM

What you can do is add a last line to the ACL deny ip any any log

Then do some testing and you will see denied traffic to make sure that your ACL is working as you wished to.

Once done remove the last line so that it won't load the router or switch.

Hope I could help,

Regards,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card