Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

newbie frustration with acl on vlan interface

Hi,

I created a vlan, and want the vlan to be restricted in which other vlans it can communicate with.

Here's what I've done:

.interface Vlan203

. ip address 10.10.203.2 255.255.255.0

. ip access-group 2035 in

. ip access-group 2036 out

. no ip redirects

. no ip proxy-arp

. standby 203 ip 10.10.203.1

. standby 203 priority 50

. standby 203 preempt

.end

.

.sh ip access-l 2035

.Extended IP access list 2035

. 10 permit ip host 10.10.203.5 host 10.10.17.25

. 20 permit ip host 10.10.17.25 host 10.10.203.5

. 30 permit icmp host 10.10.203.5 host 10.10.17.25

. 40 permit icmp host 10.10.17.25 host 10.10.203.5

. 50 deny ip any any (24 matches)

.sh ip access-l 2036

.Extended IP access list 2036

. 10 permit ip host 10.10.203.5 host 10.10.17.25

. 20 permit ip host 10.10.17.25 host 10.10.203.5

. 30 permit icmp host 10.10.203.5 host 10.10.17.25

. 40 permit icmp host 10.10.17.25 host 10.10.203.5

. 50 deny ip any any

Subnets 10.10.203.0 & 10.10.17.0 are in the same vtp domain. They are routed in the core 6509s.

On a workstation with IP address 10.10.203.5 I ping 10.10.17.25.

The pings are successful, but no matches appear in the ACL.

If I change the ACL to deny ip any any, the pings from the workstation are no longer successful, which seems to mean the ACL is doing something.

But why are there no hits on the ACL when it's applied, it is configured to allow icmp, and there are successful pings?

PS - I know the ACLs are identical. I made them identical, but with different numbers, so when I do sh access-list I can differentiate between inbound and outbound matches, and maybe start to get a clue what's going on.

Not that it's done me any good so far...

:)

BTW - Is there any way in IOS to see an individual item listing of what matched? Would the matches get syslogged if syslogging was configured right?

TIA...

4 REPLIES

Re: newbie frustration with acl on vlan interface

You have done this more or less allright. I believe the issue that you have of not seeing hits on your acl's is some kind of a bug.

Appearently you had problems determining the direction for the traffic. It helps to realize that acl notation is always: source dest. My approach to his is that I use only one access-list in the config for this. Typically I am putting it on the least trusted interface. This will then only block incoming traffic but the net effect of this is the same as using two access-lists.

You may use the keyword "log" on each line where you want the results in the syslog:

access-list 102 deny ip host 10.12.160.7 any log

Regards,

Leo

New Member

Re: newbie frustration with acl on vlan interface

Hi,

I beleive that this "strange" behaviour is NOT the result of software bug.

6500 Series switches process as much traffic as possible in hardware. So you will never get any ACL statistic if the packet was processed this way.

But ACL denied traffic under certain conditions will be processed in software. This explains why you get only denied traffic logged.

You can read more about 6500 ACLs in

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml

Be carefull by the way with logging of matches - sometimes it could load deveces CPU too hard...

//Mikhail Galiulin

New Member

Re: newbie frustration with acl on vlan interface

thanks to you both - very helpful.

After reading some more, and experimenting with "log" for ACEs, I still have a question:

What other methods/tools do pros use to debug/evaluate/test ACLs?

Obviously one can do various things like ping attempts, telnet attempts, file share access attempts.

But I'm wondering if there aren't more systematic tools/procedures...

Anyone?

Silver

Re: newbie frustration with acl on vlan interface

What you can do is add a last line to the ACL deny ip any any log

Then do some testing and you will see denied traffic to make sure that your ACL is working as you wished to.

Once done remove the last line so that it won't load the router or switch.

Hope I could help,

Regards,

127
Views
11
Helpful
4
Replies