Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

VLAN Access-list (access-group Traffic in/out)

I am having a problem that does not make sense to me. I have a switch configured with a single (VLAN4) to which I tried to apply an ACL that will impact traffic coming from worstations in VLAN4.

Once i apply the acl below, I can longer telnet from a host that is sourcing from a remote office nor from the workstations in vlan4.

ip access-list extended vlan4_traffic

permit udp any any eq bootps

permit udp any any eq bootpc

permit ip host 10.64.4.19 10.80.0.0.0 0.0.255.255

permit tcp any 10.80.2.0 0.0.0.255 eq 11141

permit tcp any 10.80.2.0 0.0.0.255 eq 11110

permit tcp any 10.80.2.0 0.0.0.255 eq 11001

permit tcp any 10.80.2.0 0.0.0.255 eq 6010

permit tcp any 10.80.2.0 0.0.0.255 eq 11167

permit tcp any 10.80.2.0 0.0.0.255 eq 17777

permit tcp any 10.80.2.0 0.0.0.255 eq 13183

permit tcp any 10.80.2.0 0.0.0.255 eq 1433

permit tcp any 10.80.2.0 0.0.0.255 eq 11025

permit tcp any any eq 3389

permit ip any host 10.80.2.18

permit ip any host 10.80.2.22

permit ip any 10.80.2.0 0.0.0.255

permit ip any 10.80.3.0 0.0.0.255

permit ip any 10.80.4.0 0.0.0.255

permit icmp any any

permit tcp any any established

deny ip any 10.80.0.0 0.0.255.255

deny ip any 10.64.0.0 0.0.255.255

permit ip any any

int vlan 4

ip address 10.64.4.254 255.255.255.0

ip access-group vlan4_traffic in

This acl I thought should affect incoming traffic from 10.64.4.0/24 subnet only.

18 REPLIES

Re: VLAN Access-list (access-group Traffic in/out)

Hi

Can you just give us an example of traffic flow, ie src IP,dst IP, dst port(guessing 23), also, on your deny's add a log entry, then do sh show log to see if they are blocking the traffic.

deny ip any 10.80.0.0 0.0.255.255 log

deny ip any 10.64.0.0 0.0.255.255 log

Bronze

Re: VLAN Access-list (access-group Traffic in/out)

Hi Adam,

Yes, I already did a log on the ACL that adds to my confusion. In any case, I am trying to telnet from 10.64.148.108 to 10.64.4.54 to no avail once the acl is applied to vlan4.

Traffic from vlan4 should be allowed for what it is on the acl only.

denied tcp 10.64.148.108(2020) -> 10.64.4.254(23), 1 packet

Re: VLAN Access-list (access-group Traffic in/out)

Hi

So, this line is denying the flow :-

deny ip any 10.64.0.0 0.0.255.255

Add this before the deny's

permit tcp any 10.64.4.0 0.0.0.255 eq 23 10.64.0.0 0.0.255.255

Not sure why it's ignoring your line

permit tcp any any established

Bronze

Re: VLAN Access-list (access-group Traffic in/out)

Hi Adam,

I thought of that but the problem is that we have remote locations all starting with that 10.64.

The ACL shouldn't have any affect with outside incoming traffic as it "SHOULD" only apply to incoming VLAN4 traffic.

Re: VLAN Access-list (access-group Traffic in/out)

What platform is this on mate.

Bronze

Re: VLAN Access-list (access-group Traffic in/out)

Here it is my friend.

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 52 WS-C3560G-48TS 12.2(46)SE C3560-IPBASEK9-M

Re: VLAN Access-list (access-group Traffic in/out)

Odd, can you apply a permit ip any any log and apply it inbound, then view the logs, it's almost as if it's doing the in/out the wrong way around :-s

Bronze

Re: VLAN Access-list (access-group Traffic in/out)

You read my mind for it is what i just did. I also changed a line to use log on it to see. The outcome is more confusing. The permit ip any any log, does show some traffic but the line

permit tcp any host 10.200.32.170 eq 11025 log, does not show anything. I applied that acl as "out" rather "in"

Re: VLAN Access-list (access-group Traffic in/out)

Try this one :-

permit ip host 10.64.4.54 host 10.64.148.108 log

permit ip any any

Then apply the ACL inbound, telnet from 10.64.4.54 to 10.64.148.108 and see if you get a hit, then flip it.

Bronze

Re: VLAN Access-list (access-group Traffic in/out)

only when i used permit ip host 10.64.148.108 host 10.64.4.54 and assign "in" than it works. So, it seems as though the acl should be applied using "out" on this vlan. It doesn't make sense to me.

Re: VLAN Access-list (access-group Traffic in/out)

Nor, me why would the 3560 be different to all the other Cat's when it comes to VLAN ACL's. I wonder if it's a code issue, I have some 3560's I can test with at the office, I will have a go tomoz.

Bronze

Re: VLAN Access-list (access-group Traffic in/out)

When applying the ACL using the "out" option, it does not seem to have any effects because I don't see any hit counts and some traffic that should be denied seems to pass through.

Hall of Fame Super Silver

Re: VLAN Access-list (access-group Traffic in/out)

Etienne

When you change the way that you apply the access list from in to out, you have a very significant change about what is the source address and what is the destination address. Did you re-write the access list when you changed its direction?

Perhaps it would help us if we could see a more complete config. Could you post the config (especially including not only the interface and access list, but also any routing information and the config of the vty lines)?

HTH

Rick

Hall of Fame Super Silver

Re: VLAN Access-list (access-group Traffic in/out)

Etienne

In re-reading this thread another question occurs to me. Where is the traffic from 10.64.148.108 coming from? How does that traffic get to your switch? Which interface does it arrive on? If we could see the complete config then perhaps we could figure this out.

HTH

Rick

Bronze

Re: VLAN Access-list (access-group Traffic in/out)

Hi Rick,

The traffic coming via a router that is connected to port 47 (see below) on the switch. I don't manage that router. There is a static route on the switch for that traffic (see below).

interface GigabitEthernet0/47

description Unmanaged Router

switchport access vlan 45

switchport mode access

load-interval 30

speed 100

duplex full

ip route 0.0.0.0 0.0.0.0 10.64.4.1

ip route 10.64.148.0 255.255.255.0 10.64.4.10

ip route 10.80.0.0 255.255.0.0 10.64.4.10

Bronze

Re: VLAN Access-list (access-group Traffic in/out)

I had a typo but this and the acl are pretty much the relevant lines of the config.

interface GigabitEthernet0/47

description Unmanaged Router

switchport access vlan 4

switchport mode access

load-interval 30

speed 100

duplex full

ip route 0.0.0.0 0.0.0.0 10.64.4.1

ip route 10.64.148.0 255.255.255.0 10.64.4.10

ip route 10.80.0.0 255.255.0.0 10.64.4.1

line vty 0 4

exec-timeout 45 0

login local

Hall of Fame Super Silver

Re: VLAN Access-list (access-group Traffic in/out)

Etienne

The additional information is quite helpful. It confirms that your attempt to telnet is coming in on VLAN 4.

If you look carefully at the access list there are no statements that specify 10.64.148.0 as a source address. The first statement in the access list which would apply to this traffic from 10.64.148.0 to 10.64.4.254 is this line:

deny ip any 10.64.0.0 0.0.255.255

which clearly denies your attempt to telnet. If you want telnet to work you need to insert a line in the access list which permits the traffic and which comes before this line:

deny ip any 10.64.0.0 0.0.255.255

HTH

Rick

Bronze

Re: VLAN Access-list (access-group Traffic in/out)

Hi Rick,

My goal is to restrict workstations within VLAN4 going out to some specific servers and ports and not to restrict access in from outside the switch.

Thanks much,

409
Views
0
Helpful
18
Replies