Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
828
Views
0
Helpful
5
Replies

WRVS4400N - ACL rule(s) causing sever slowdown?

johnmay
Level 1
Level 1

‎02-24-2012 07:46 AM

Hi there,

I have a DSL line at work that we use to test external services provided to external users on our primary Internet circuit (Citrix, web applications, etc).  Because this DSL line is for testing only, we want to lock it down so the only destinations allowed through the firewall are our own IP spaces. 

I purchased a WRVS4400N for this purpose, thinking I could use the IP based ACL list to create these restrictions.  However, every time I try to create an ACL, the internet slows to a crawl, and many sites don't come up at all.  This occurs even if the ACL rule I add is a simple "allow any any" rule similar to the default rules.

Is this a known issue, or am I configuring something incorrectly?  Here's an example of a rule I'm using (IP not real):

Action     Service          Source Interface     Source     Destination                                   Time              Day

Allow      All Protocol     LAN                    ANY           1.2.3.0/255.255.255.240*             Any Time       Every Day  

I also get the problem with a simple allow from a single IP (mine) to any destination, without any other rules enabled.

Any ideas on what I'm doing wrong, or is there something wrong with the implementation of the ACL ruleset on these routers?

Thanks in advance,

John       

Labels:
0 Helpful
5 Replies 5

jasbryan
Level 6
Level 6

‎02-24-2012 08:26 AM

John,

WRVS4400N only allows for WAN to LAN or LAN to WAN ACL's- IP ACL's doesn't allow for LAN to LAN restrictions  so that being said you are specifying to allow all protocols from sourceLAN(any lan source) outbound to 1.2.3.0/255.255.255.240 any time every day. By default all outbound traffic is allowed so unless you have a denied statement you don't need this rule. Also make sure you running latest firmware for this unit.

What is the local address of the WRVS4400N?

What are you trying to deny or restrict?

Jasbryan

0 Helpful

johnmay
Level 1
Level 1
In response to jasbryan

‎02-24-2012 10:48 AM

Hi Jasbryan,

Thanks for the reply.  I apologize for the lack of clarity in my explanation - I was trying to be brief.

I'm trying to restrict clients on the LAN interface from accessing any IPs on the WAN interface except for the IP ranges we own, which are in a different location on different ISPs.  There is a DENY ALL ALL statement at the end of the ACL list.  The ACL I listed in my original post was a single example of several ACL entries for the various IP ranges we own that we want to test from.  So, it ends up looking something like this:

Allow      All Protocol     LAN                    ANY            1.2.3.0/255.255.255.240*             Any Time       Every Day

Allow      All Protocol     LAN                    ANY           4.5.6.0/255.255.255.240*             Any Time       Every Day

Allow      All Protocol     LAN                    ANY           7.8.9.0/255.255.255.240*             Any Time       Every Day

Allow      All Protocol     LAN                    ANY           11.12.13.0/255.255.255.240*        Any Time       Every Day

Deny      All Protocol     ANY                    ANY           ANY                                          Any Time       Every Day

Again, the IPs are made up, and are just for illustration.

The problem occurs in that whenever there are *any* created ACL rules in place and enabled, the connection slows so much as to be unusable to most sites.  This even occurs if I were to disable the above and only enable a *single* rule, something like this:

Allow      All Protocol     LAN      192.168.200.100     ANY     Any Time  Every Day

This single rule should allow my PC (which has been statically assigned the 192.168.200.100 address) full access to the Internet, however I see extreme slowdowns which makes the system unusable.  I realize the rule is redundant when none of the other rules are in place, but I'm using it to illustrate my point that the enabling the ACL filtering seems to cause a significant slowdown on the system.

I am running the latest version of firmware available on Cisco's website, 2.0.2.1.

When you say "local address of the WRVS4400N", are you referring to the LAN interface address, or the WAN interface address?  The local LAN address is 192.168.200.1.

Hope that provides a more thourough explanation.  Thanks for the help!

John

0 Helpful

johnmay
Level 1
Level 1
In response to johnmay

‎02-28-2012 07:00 AM

Bumping the thread to see if anyone has any additonal feedback, as I'm still having the issue.  Thanks!

0 Helpful

jasbryan
Level 6
Level 6
In response to johnmay

‎02-28-2012 07:25 AM

John,

I would get more specific on my rules and not using ANY beside on your Destination. Other than that you'll need to call into the support center so we can take a look at your setup and start trouble shooting. We'll probably have to lab up your configuration and find out possible cause of your problem.

Jasbryan

0 Helpful

johnmay
Level 1
Level 1
In response to jasbryan

‎02-28-2012 07:27 AM

Thanks, Jasbryan.  I'll contact the support center.

John

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents