01-12-2004 04:50 PM - edited 03-02-2019 12:50 PM
Greetings!
I'm having trouble with the named extended ACLS I created and applied to my five vlan interfaces. Once testing began I realized they're allowing access to certain resources that should be denied. If there is no match in an ACL isn't there an implicit deny at the end?
I've read through a lot of Cisco docs on ACLs but additional docs/links/info are appreciated.
Thanks, SG
Solved! Go to Solution.
01-13-2004 04:31 PM
On the VLAN30 interface you have 'ip access-group STUDENTS in', but the access-list per your prior message is called 'STUDENT'. If it's really configured this way (rather than being just a typo in your message), it would explain the behavior you're seeing.
01-12-2004 09:52 PM
You are quite correct. There is an implicit deny all added at the end of an access list.
01-13-2004 08:50 AM
Greetings,
All of my named extended ACLs are applied to VLAN interfaces (inbound) and their behavior is confusing.
The IT ACL is referenced from the other two ACLs below.
ip access-list extended IT
permit ip any any
permit tcp any any established
With the Registration ACL if I ping a 10.0.6.0 address that is not listed I get a destination network unreachable which is what I would expect.
ip access-list extended REGISTRATION
permit tcp any any established
permit icmp 10.0.11.0 0.0.0.255 any echo-reply
permit ip 10.0.11.0 0.0.0.255 host 10.0.6.19
permit ip 10.0.11.0 0.0.0.255 host 10.0.6.20
permit ip 10.0.11.0 0.0.0.255 host 10.0.6.24
permit ip 10.0.11.0 0.0.0.255 host 10.0.6.23
permit ip 10.0.11.0 0.0.0.255 host 10.0.6.21
permit ip 10.0.11.0 0.0.0.255 host 10.0.6.17
permit ip 10.0.11.0 0.0.0.255 host 10.0.6.43
permit ip 10.0.11.0 0.0.0.255 10.0.7.0 0.0.0.255
permit ip 10.0.11.0 0.0.0.255 10.0.8.0 0.0.0.255
permit ip 10.0.11.0 0.0.0.255 10.0.9.0 0.0.0.255
permit ip 10.0.11.0 0.0.0.255 10.0.10.0 0.0.0.255
With the Student ACL if I ping a 10.0.6.0 address that is not listed I get a reply which is not what I would expect. Since there is no match for say 10.0.6.55 and there is an implicit deny at the end why would I get a reply? whereas on the above Registration ACL it works as expected by denying the reply?
ip access-list extended STUDENT
permit tcp any any established
permit icmp 10.0.9.0 0.0.0.255 any echo-reply
permit icmp 10.0.10.0 0.0.0.255 any echo-reply
permit ip 10.0.9.0 0.0.0.255 host 10.0.6.19
permit ip 10.0.10.0 0.0.0.255 host 10.0.6.19
permit ip 10.0.9.0 0.0.0.255 host 10.0.6.20
permit ip 10.0.10.0 0.0.0.255 host 10.0.6.20
permit ip 10.0.9.0 0.0.0.255 host 10.0.6.24
permit ip 10.0.10.0 0.0.0.255 host 10.0.6.24
permit ip 10.0.9.0 0.0.0.255 host 10.0.6.25
permit ip 10.0.10.0 0.0.0.255 host 10.0.6.25
permit ip 10.0.9.0 0.0.0.255 host 10.0.6.17
permit ip 10.0.10.0 0.0.0.255 host 10.0.6.17
permit ip 10.0.9.0 0.0.0.255 host 10.0.6.43
permit ip 10.0.10.0 0.0.0.255 host 10.0.6.43
I put in the permit icmp statement to allow pings back to the IT vlan for troubleshooting.
Thanks for your help. SG
01-13-2004 11:22 AM
Were is this ACL applied in regards to the source and destination pairs in your ACL. Because you are allowing echo reply to any host.
permit icmp 10.0.9.0 0.0.0.255 any echo-reply
permit icmp 10.0.10.0 0.0.0.255 any echo-reply
Where as you are not in the other ACL. Depending on the traffic flow and the placement on the ACL, this will allow pings through.
01-13-2004 04:17 PM
My objective is NOT to place restrictions on the IT vlan to allow for troubleshooting, testing connectivity etc. I want to allow pings through to the IT vlan, just echo replys.
Below is an example of how I applied the ACLs to the VLAN interfaces...
interface Vlan10
description VLAN 10 - IT
ip address 10.0.6.1 255.255.255.0
ip access-group IT in
ip helper-address X.X.X.X
interface Vlan30
description VLAN 30 - Students
ip address 10.0.10.1 255.255.255.0 secondary
ip address 10.0.9.1 255.255.255.0
ip access-group STUDENTS in
ip helper-address X.X.X.X
ip helper-address X.X.X.X
ip helper-address X.X.X.X
!
interface Vlan40
description VLAN 40 - Registration
ip address 10.0.11.1 255.255.255.0
ip access-group REGISTRATION in
ip helper-address X.X.X.X
Thanks, SG
01-13-2004 04:31 PM
On the VLAN30 interface you have 'ip access-group STUDENTS in', but the access-list per your prior message is called 'STUDENT'. If it's really configured this way (rather than being just a typo in your message), it would explain the behavior you're seeing.
01-13-2004 05:02 PM
Thanks for your reply. I've been staring at this config for so long I didn't even see that. You were right on and now it works like expected.
Thank you, SG
01-13-2004 05:04 PM
Thanks for your reply. I've been staring at this config for so long I didn't even see that. You were right on and now it works like expected.
Thank you, SG
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide