Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problems getting ACLs to work on Cisco 6500 switch

I?m having what seems to be a pretty fundamental problem with ACLs on my switches. I was hoping someone could point me in the right direction. I?m running 6500s with HSRP and SVIs.

Basically, I can?t get my ACLs to block the traffic I?m trying to block. I?m trying to limit telnet traffic to a couple of hosts and it?s not working the way I expected. I apply the ACL using the interface config command, ip access-group 123 in.

I feel like I?m overlooking something obvious here. I tried troubleshooting using, debug ip packet 123 detail. I even setup a similar environment on a test 3550 switch I have in my office and encountered the same result.

Could the problem have something to do with CEF and hardware switching? I thought the security ACLs were compiled into the TCAM. Does the switch need to punt to process switching in order to evaluate the ACLs?

Ip access-list extended 123

permit tcp host 172.16.15.63 172.16.1.130 0.0.0.31 eq telnet

permit tcp host 172.16.15.37 172.16.1.130 0.0.0.31 eq telnet

permit tcp host 172.16.15.68 172.16.1.130 0.0.0.31 eq telnet

permit tcp host 172.16.15.35 172.16.1.130 0.0.0.31 eq telnet

permit tcp host 172.16.15.4 172.16.1.130 0.0.0.31 eq telnet

deny tcp any 172.16.1.130 0.0.0.31 eq telnet

permit ip any any

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Re: Problems getting ACLs to work on Cisco 6500 switch

This would have to be applied to the 172.16.15.X SVI for this to work . Just think of in as going from a user on the 172.16.15 out to the other subnet . Out would be going out from the other subnet to a user on the 172.16.15.x network in which case your syntax would have to change.

4 REPLIES
Purple

Re: Problems getting ACLs to work on Cisco 6500 switch

How do you have it applied on the interfaces?

New Member

Re: Problems getting ACLs to work on Cisco 6500 switch

applied as:

ip access-group 123 in

Is the logic counter-intuitive? It seems like it may work if I change it to ip access-group 123 out. To me, it seems like we're evaluating traffic going IN to VLAN1. Am I missing something here?

Purple

Re: Problems getting ACLs to work on Cisco 6500 switch

This would have to be applied to the 172.16.15.X SVI for this to work . Just think of in as going from a user on the 172.16.15 out to the other subnet . Out would be going out from the other subnet to a user on the 172.16.15.x network in which case your syntax would have to change.

New Member

Re: Problems getting ACLs to work on Cisco 6500 switch

Makes sense to me now. You have solved my problem. Thank you so much.

So, basically I need to look at it from the perspective of the switch rather than the traffic-flow perspective.

So, how do I award you points?

157
Views
0
Helpful
4
Replies