Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Sup 720 ignoring ACLs

Has anyone seen this problem?

6 REPLIES
Silver

Re: Sup 720 ignoring ACLs

Is it a acess-group or CAR ? If it is CAR , you may need to use MQC for seeing matches.

Re: Sup 720 ignoring ACLs

Hi,

Yes of course a Sup720 will ignore access-lists - when you do not apply them anywhere!

can you please post more details?

Regards

Martin

New Member

Re: Sup 720 ignoring ACLs

ok more details, and yes the acl is applied to the interface : )

interface Vlan200

description my network

ip address 10.blah 255.255.255.0

ip access-group 167 out

first line of acl = access-list 167 deny tcp any any eq telnet log-input

telnet to all hosts on vlan 200 works from other subnets

put in deny at the top for my host = deny ip host myhost any

all traffic from my host is permitted

Re: Sup 720 ignoring ACLs

Hi,

this seems to be a problem of direction.

Did you try

access-list 167 deny tcp any eq telnet any

instead?

If your telnet is from outside to the VLAN and your access-list is outbound then the port 23 is seen in the source and not destination part.

Did this help? Then please rate it.

Martin

New Member

Re: Sup 720 ignoring ACLs

I think you are trying to deny telnet from coming into his hosts sitting on VLAN 200. You would need this if blocking telnet *from* VLAN 200:

interface Vlan200

description my network

ip address 10.blah 255.255.255.0

ip access-group 167 out

access-list 167 deny tcp any eq telnet any log-input

If you want to block telnet from coming *into* VLAN 200, then you would need this:

interface Vlan200

description my network

ip address 10.blah 255.255.255.0

ip access-group 167 in

access-list 167 deny tcp any any eq telnet log-input

Hope this helps

Ricky Boyd

www.hypernetworks.net

New Member

Re: Sup 720 ignoring ACLs

Curiously enough the ACL works as intended for traffic from other vlans on the same switch.

Inbound traffic sourced from outside this network, ie. over the WAN enters this vlan with apparently no filtering. Glad this is a lab environment.

117
Views
0
Helpful
6
Replies
CreatePlease to create content