Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
7
Replies

3550-48-EMI ACLS applied to VLAN interfaces

Go to solution
sgasporra
Level 1
Level 1

‎01-12-2004 04:50 PM - edited ‎03-02-2019 12:50 PM

Greetings!

I'm having trouble with the named extended ACLS I created and applied to my five vlan interfaces. Once testing began I realized they're allowing access to certain resources that should be denied. If there is no match in an ACL isn't there an implicit deny at the end?

I've read through a lot of Cisco docs on ACLs but additional docs/links/info are appreciated.

Thanks, SG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tbaranski
Level 4
Level 4
In response to sgasporra

‎01-13-2004 04:31 PM

On the VLAN30 interface you have 'ip access-group STUDENTS in', but the access-list per your prior message is called 'STUDENT'. If it's really configured this way (rather than being just a typo in your message), it would explain the behavior you're seeing.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
rsissons
Level 5
Level 5

‎01-12-2004 09:52 PM

You are quite correct. There is an implicit deny all added at the end of an access list.

0 Helpful

Go to solution
sgasporra
Level 1
Level 1
In response to rsissons

‎01-13-2004 08:50 AM

Greetings,

All of my named extended ACLs are applied to VLAN interfaces (inbound) and their behavior is confusing.

The IT ACL is referenced from the other two ACLs below.

ip access-list extended IT

permit ip any any

permit tcp any any established

With the Registration ACL if I ping a 10.0.6.0 address that is not listed I get a destination network unreachable which is what I would expect.

ip access-list extended REGISTRATION

permit tcp any any established

permit icmp 10.0.11.0 0.0.0.255 any echo-reply

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.19

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.20

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.24

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.23

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.21

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.17

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.43

permit ip 10.0.11.0 0.0.0.255 10.0.7.0 0.0.0.255

permit ip 10.0.11.0 0.0.0.255 10.0.8.0 0.0.0.255

permit ip 10.0.11.0 0.0.0.255 10.0.9.0 0.0.0.255

permit ip 10.0.11.0 0.0.0.255 10.0.10.0 0.0.0.255

With the Student ACL if I ping a 10.0.6.0 address that is not listed I get a reply which is not what I would expect. Since there is no match for say 10.0.6.55 and there is an implicit deny at the end why would I get a reply? whereas on the above Registration ACL it works as expected by denying the reply?

ip access-list extended STUDENT

permit tcp any any established

permit icmp 10.0.9.0 0.0.0.255 any echo-reply

permit icmp 10.0.10.0 0.0.0.255 any echo-reply

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.19

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.19

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.20

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.20

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.24

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.24

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.25

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.25

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.17

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.17

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.43

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.43

I put in the permit icmp statement to allow pings back to the IT vlan for troubleshooting.

Thanks for your help. SG

0 Helpful

Go to solution
msdonahue
Level 1
Level 1
In response to sgasporra

‎01-13-2004 11:22 AM

Were is this ACL applied in regards to the source and destination pairs in your ACL. Because you are allowing echo reply to any host.

permit icmp 10.0.9.0 0.0.0.255 any echo-reply

permit icmp 10.0.10.0 0.0.0.255 any echo-reply

Where as you are not in the other ACL. Depending on the traffic flow and the placement on the ACL, this will allow pings through.

0 Helpful

Go to solution
sgasporra
Level 1
Level 1
In response to msdonahue

‎01-13-2004 04:17 PM

My objective is NOT to place restrictions on the IT vlan to allow for troubleshooting, testing connectivity etc. I want to allow pings through to the IT vlan, just echo replys.

Below is an example of how I applied the ACLs to the VLAN interfaces...

interface Vlan10

description VLAN 10 - IT

ip address 10.0.6.1 255.255.255.0

ip access-group IT in

ip helper-address X.X.X.X

interface Vlan30

description VLAN 30 - Students

ip address 10.0.10.1 255.255.255.0 secondary

ip address 10.0.9.1 255.255.255.0

ip access-group STUDENTS in

ip helper-address X.X.X.X

ip helper-address X.X.X.X

ip helper-address X.X.X.X

!

interface Vlan40

description VLAN 40 - Registration

ip address 10.0.11.1 255.255.255.0

ip access-group REGISTRATION in

ip helper-address X.X.X.X

Thanks, SG

0 Helpful

Go to solution
tbaranski
Level 4
Level 4
In response to sgasporra

‎01-13-2004 04:31 PM

On the VLAN30 interface you have 'ip access-group STUDENTS in', but the access-list per your prior message is called 'STUDENT'. If it's really configured this way (rather than being just a typo in your message), it would explain the behavior you're seeing.

0 Helpful

Go to solution
sgasporra
Level 1
Level 1
In response to tbaranski

‎01-13-2004 05:02 PM

Thanks for your reply. I've been staring at this config for so long I didn't even see that. You were right on and now it works like expected.

Thank you, SG

0 Helpful

Go to solution
sgasporra
Level 1
Level 1
In response to tbaranski

‎01-13-2004 05:04 PM

Thanks for your reply. I've been staring at this config for so long I didn't even see that. You were right on and now it works like expected.

Thank you, SG

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents