Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

3550-48-EMI ACLS applied to VLAN interfaces

Greetings!

I'm having trouble with the named extended ACLS I created and applied to my five vlan interfaces. Once testing began I realized they're allowing access to certain resources that should be denied. If there is no match in an ACL isn't there an implicit deny at the end?

I've read through a lot of Cisco docs on ACLs but additional docs/links/info are appreciated.

Thanks, SG

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: 3550-48-EMI ACLS applied to VLAN interfaces

On the VLAN30 interface you have 'ip access-group STUDENTS in', but the access-list per your prior message is called 'STUDENT'. If it's really configured this way (rather than being just a typo in your message), it would explain the behavior you're seeing.

7 REPLIES
Bronze

Re: 3550-48-EMI ACLS applied to VLAN interfaces

You are quite correct. There is an implicit deny all added at the end of an access list.

New Member

Re: 3550-48-EMI ACLS applied to VLAN interfaces

Greetings,

All of my named extended ACLs are applied to VLAN interfaces (inbound) and their behavior is confusing.

The IT ACL is referenced from the other two ACLs below.

ip access-list extended IT

permit ip any any

permit tcp any any established

With the Registration ACL if I ping a 10.0.6.0 address that is not listed I get a destination network unreachable which is what I would expect.

ip access-list extended REGISTRATION

permit tcp any any established

permit icmp 10.0.11.0 0.0.0.255 any echo-reply

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.19

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.20

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.24

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.23

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.21

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.17

permit ip 10.0.11.0 0.0.0.255 host 10.0.6.43

permit ip 10.0.11.0 0.0.0.255 10.0.7.0 0.0.0.255

permit ip 10.0.11.0 0.0.0.255 10.0.8.0 0.0.0.255

permit ip 10.0.11.0 0.0.0.255 10.0.9.0 0.0.0.255

permit ip 10.0.11.0 0.0.0.255 10.0.10.0 0.0.0.255

With the Student ACL if I ping a 10.0.6.0 address that is not listed I get a reply which is not what I would expect. Since there is no match for say 10.0.6.55 and there is an implicit deny at the end why would I get a reply? whereas on the above Registration ACL it works as expected by denying the reply?

ip access-list extended STUDENT

permit tcp any any established

permit icmp 10.0.9.0 0.0.0.255 any echo-reply

permit icmp 10.0.10.0 0.0.0.255 any echo-reply

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.19

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.19

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.20

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.20

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.24

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.24

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.25

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.25

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.17

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.17

permit ip 10.0.9.0 0.0.0.255 host 10.0.6.43

permit ip 10.0.10.0 0.0.0.255 host 10.0.6.43

I put in the permit icmp statement to allow pings back to the IT vlan for troubleshooting.

Thanks for your help. SG

New Member

Re: 3550-48-EMI ACLS applied to VLAN interfaces

Were is this ACL applied in regards to the source and destination pairs in your ACL. Because you are allowing echo reply to any host.

permit icmp 10.0.9.0 0.0.0.255 any echo-reply

permit icmp 10.0.10.0 0.0.0.255 any echo-reply

Where as you are not in the other ACL. Depending on the traffic flow and the placement on the ACL, this will allow pings through.

New Member

Re: 3550-48-EMI ACLS applied to VLAN interfaces

My objective is NOT to place restrictions on the IT vlan to allow for troubleshooting, testing connectivity etc. I want to allow pings through to the IT vlan, just echo replys.

Below is an example of how I applied the ACLs to the VLAN interfaces...

interface Vlan10

description VLAN 10 - IT

ip address 10.0.6.1 255.255.255.0

ip access-group IT in

ip helper-address X.X.X.X

interface Vlan30

description VLAN 30 - Students

ip address 10.0.10.1 255.255.255.0 secondary

ip address 10.0.9.1 255.255.255.0

ip access-group STUDENTS in

ip helper-address X.X.X.X

ip helper-address X.X.X.X

ip helper-address X.X.X.X

!

interface Vlan40

description VLAN 40 - Registration

ip address 10.0.11.1 255.255.255.0

ip access-group REGISTRATION in

ip helper-address X.X.X.X

Thanks, SG

Bronze

Re: 3550-48-EMI ACLS applied to VLAN interfaces

On the VLAN30 interface you have 'ip access-group STUDENTS in', but the access-list per your prior message is called 'STUDENT'. If it's really configured this way (rather than being just a typo in your message), it would explain the behavior you're seeing.

New Member

Re: 3550-48-EMI ACLS applied to VLAN interfaces

Thanks for your reply. I've been staring at this config for so long I didn't even see that. You were right on and now it works like expected.

Thank you, SG

New Member

Re: 3550-48-EMI ACLS applied to VLAN interfaces

Thanks for your reply. I've been staring at this config for so long I didn't even see that. You were right on and now it works like expected.

Thank you, SG

108
Views
0
Helpful
7
Replies