03-09-2009 05:00 PM - edited 03-06-2019 04:29 AM
I am having a problem that does not make sense to me. I have a switch configured with a single (VLAN4) to which I tried to apply an ACL that will impact traffic coming from worstations in VLAN4.
Once i apply the acl below, I can longer telnet from a host that is sourcing from a remote office nor from the workstations in vlan4.
ip access-list extended vlan4_traffic
permit udp any any eq bootps
permit udp any any eq bootpc
permit ip host 10.64.4.19 10.80.0.0.0 0.0.255.255
permit tcp any 10.80.2.0 0.0.0.255 eq 11141
permit tcp any 10.80.2.0 0.0.0.255 eq 11110
permit tcp any 10.80.2.0 0.0.0.255 eq 11001
permit tcp any 10.80.2.0 0.0.0.255 eq 6010
permit tcp any 10.80.2.0 0.0.0.255 eq 11167
permit tcp any 10.80.2.0 0.0.0.255 eq 17777
permit tcp any 10.80.2.0 0.0.0.255 eq 13183
permit tcp any 10.80.2.0 0.0.0.255 eq 1433
permit tcp any 10.80.2.0 0.0.0.255 eq 11025
permit tcp any any eq 3389
permit ip any host 10.80.2.18
permit ip any host 10.80.2.22
permit ip any 10.80.2.0 0.0.0.255
permit ip any 10.80.3.0 0.0.0.255
permit ip any 10.80.4.0 0.0.0.255
permit icmp any any
permit tcp any any established
deny ip any 10.80.0.0 0.0.255.255
deny ip any 10.64.0.0 0.0.255.255
permit ip any any
int vlan 4
ip address 10.64.4.254 255.255.255.0
ip access-group vlan4_traffic in
This acl I thought should affect incoming traffic from 10.64.4.0/24 subnet only.
03-09-2009 05:07 PM
Hi
Can you just give us an example of traffic flow, ie src IP,dst IP, dst port(guessing 23), also, on your deny's add a log entry, then do sh show log to see if they are blocking the traffic.
deny ip any 10.80.0.0 0.0.255.255 log
deny ip any 10.64.0.0 0.0.255.255 log
03-09-2009 05:21 PM
Hi Adam,
Yes, I already did a log on the ACL that adds to my confusion. In any case, I am trying to telnet from 10.64.148.108 to 10.64.4.54 to no avail once the acl is applied to vlan4.
Traffic from vlan4 should be allowed for what it is on the acl only.
denied tcp 10.64.148.108(2020) -> 10.64.4.254(23), 1 packet
03-09-2009 05:27 PM
Hi
So, this line is denying the flow :-
deny ip any 10.64.0.0 0.0.255.255
Add this before the deny's
permit tcp any 10.64.4.0 0.0.0.255 eq 23 10.64.0.0 0.0.255.255
Not sure why it's ignoring your line
permit tcp any any established
03-09-2009 05:36 PM
Hi Adam,
I thought of that but the problem is that we have remote locations all starting with that 10.64.
The ACL shouldn't have any affect with outside incoming traffic as it "SHOULD" only apply to incoming VLAN4 traffic.
03-09-2009 05:41 PM
What platform is this on mate.
03-09-2009 05:47 PM
Here it is my friend.
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3560G-48TS 12.2(46)SE C3560-IPBASEK9-M
03-09-2009 05:52 PM
Odd, can you apply a permit ip any any log and apply it inbound, then view the logs, it's almost as if it's doing the in/out the wrong way around :-s
03-09-2009 05:57 PM
You read my mind for it is what i just did. I also changed a line to use log on it to see. The outcome is more confusing. The permit ip any any log, does show some traffic but the line
permit tcp any host 10.200.32.170 eq 11025 log, does not show anything. I applied that acl as "out" rather "in"
03-09-2009 06:03 PM
Try this one :-
permit ip host 10.64.4.54 host 10.64.148.108 log
permit ip any any
Then apply the ACL inbound, telnet from 10.64.4.54 to 10.64.148.108 and see if you get a hit, then flip it.
03-09-2009 06:27 PM
only when i used permit ip host 10.64.148.108 host 10.64.4.54 and assign "in" than it works. So, it seems as though the acl should be applied using "out" on this vlan. It doesn't make sense to me.
03-09-2009 06:32 PM
Nor, me why would the 3560 be different to all the other Cat's when it comes to VLAN ACL's. I wonder if it's a code issue, I have some 3560's I can test with at the office, I will have a go tomoz.
03-10-2009 01:00 PM
When applying the ACL using the "out" option, it does not seem to have any effects because I don't see any hit counts and some traffic that should be denied seems to pass through.
03-10-2009 03:26 PM
Etienne
When you change the way that you apply the access list from in to out, you have a very significant change about what is the source address and what is the destination address. Did you re-write the access list when you changed its direction?
Perhaps it would help us if we could see a more complete config. Could you post the config (especially including not only the interface and access list, but also any routing information and the config of the vty lines)?
HTH
Rick
03-10-2009 03:33 PM
Etienne
In re-reading this thread another question occurs to me. Where is the traffic from 10.64.148.108 coming from? How does that traffic get to your switch? Which interface does it arrive on? If we could see the complete config then perhaps we could figure this out.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: