Problem with aplication of acl in sw 6513

carolinac · ‎01-04-2007

Hello

When i apply an acl extended or named at a svi.

The svi manage the segment of the 168.176.200.0/23 and the acl is applied in.

access-list 150 permit tcp 168.176.0.0 0.0.255.255 host 168.176.200.13 eq 22

access-list 150 permit udp 168.176.146.0 0.0.0.255 host 168.176.200.13 eq 177

access-list 150 permit tcp 168.176.146.0 0.0.0.255 host 168.176.200.13 eq 80

access-list 150 permit ip any any

When i try to do a ssh connection from 168.176.146.215 to 168.176.200.13 it doesn?t do any match.

10 permit tcp 168.176.0.0 0.0.255.255 host 168.176.200.13 eq 22

20 permit udp 168.176.146.0 0.0.0.255 host 168.176.200.13 eq xdmcp

30 permit tcp 168.176.146.0 0.0.0.255 host 168.176.200.13 eq www

40 permit ip any any (368 matches)

thank you

Jon Marshall · ‎01-04-2007

Are you sure that you are going in on that interface ? Because it is all virtualised you may not be going in on that SVI - it depends on your network topology.

Try applying the acl in the outbound direction on that SVI instead of the inbound direction.

HTH

Richard Burts · ‎01-04-2007

I have a different line of reasoning from Jon but I reach the same conclusion that he does: the access list should be applied outbound not inbound.

The access list is defining 168.176.200.13 as the destination address. If the access list is being applied on the interface where 168.176.200.13 is located and the address is the destination then the access list must be outbound.

When applying access lists on an SVI remember this about directions: an inbound access list is for client traffic to the switch and an outbound access list is for switch to client. So if the client address is the destination it must be switch to client and must be outbound access list.

HTH

Rick

HTH

Rick

Jon Marshall · ‎01-04-2007

Sorry Rick, i think our reasoning was pretty much the same just that you explained it so much better :-)

carolinac · ‎01-04-2007

I have applied it outbound, but it doesnt do any match. Why?

Richard Burts · ‎01-04-2007

Maria

Given your description of the environment and the access list that you posted I think that it should have matched when applied outbound. If it is not matching then I would ask that you post the interface configuration and the output of show access list. Also can you confirm that 168.176.146.215 is the source and that 168.176.200.13 is the destination of the SSH.

HTH

Rick

HTH

Rick

carolinac · ‎01-04-2007

Hi,

Is a switch 6513 IOS 12.2

interface Vlan200

ip address 168.176.200.1 255.255.254.0

ip access-group 150 out

no ip route-cache

end

C6513#sh access-lists 150

Extended IP access list 150

10 permit tcp 168.176.0.0 0.0.255.255 host 168.176.200.13 eq 22

20 permit udp 168.176.146.0 0.0.0.255 host 168.176.200.13 eq xdmcp

30 permit tcp 168.176.146.0 0.0.0.255 host 168.176.200.13 eq www

40 permit ip any any (94781 matches)

Source: 168.176.146.215

Destination: 168.176.200.13

When i do a ssh connection it doesnt make any match at that acl.

wochanda · ‎01-04-2007

Packets dropped via ACL in PFC hardware wont increment access-list 'match' counters. Only packets being sent to software for switching will. More information:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00801609f6.html