Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1984
Views
0
Helpful
11
Replies

ACL Troubleshooting

dc12132
Level 1
Level 1

‎10-29-2019 09:07 AM

Hello All,

 

I have little to no experience with ACLs, and have a task I am trying to complete.

 

I have two networks that I am looking to segment, VLANs 229 and 230. Here is the interface configurations on my router:
interface GigabitEthernet0/0/0.229
encapsulation dot1Q 229
ip address 10.163.116.1 255.255.254.0
ip helper-address 10.0.80.25
ip helper-address 10.18.80.22
!
interface GigabitEthernet0/0/0.230
encapsulation dot1Q 230
ip address 10.163.118.1 255.255.254.0
ip helper-address 10.0.80.25
ip helper-address 10.18.80.22

 

The goal with these interfaces is as follows:

- VLAN 229 and 230 Subnets need to be able to talk to eachother

- Both subnets need to be able to talk to each ip helper

- Both subnets need to be able to talk with 10.163.115.224/23

- Deny traffic from all other local 10.x subnets

- Allow internet access for the VLAN 229 and VLAN 230 subnets

 

This is the first Cisco ACL I've created. I applied it inbound to both the 229 and 230 interfaces:

ip access-list extended VLAN229_VLAN230_ACL
permit ip 10.163.116.0 0.0.1.255 10.163.116.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.118.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.116.0 0.0.1.255
permit ip 10.163.116.0 0.0.1.255 host 10.0.80.25
permit ip 10.163.116.0 0.0.1.255 host 10.18.80.22
permit ip 10.163.118.0 0.0.1.255 host 10.0.80.25
permit ip 10.163.118.0 0.0.1.255 host 10.18.80.22
permit ip host 10.18.80.22 10.163.116.0 0.0.1.255
permit ip host 10.18.80.22 10.163.118.0 0.0.1.255
permit ip host 10.0.80.25 10.163.116.0 0.0.1.255
permit ip host 10.0.80.25 10.163.118.0 0.0.1.255
permit ip 10.163.116.0 0.0.1.255 10.163.118.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.115.224 0.0.0.15
permit ip 10.163.116.0 0.0.1.255 10.163.115.224 0.0.0.15
permit ip 10.163.115.224 0.0.0.15 10.163.116.0 0.0.1.255
permit ip 10.163.115.224 0.0.0.15 10.163.118.0 0.0.1.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.163.116.0 0.0.1.255 any
permit ip 10.163.118.0 0.0.1.255 any

 

After applying these ACLs, I put myself on the wireless network, which is 10.18.30.0/24 , and was able to ping everything on the 10.163.118 and the 10.163.116 subnets. Any insight as to why, or how I can change this ACL to complete the task at hand?

Labels:
0 Helpful
11 Replies 11

balaji.bandi
Hall of Fame
Hall of Fame

‎10-29-2019 09:30 AM

High level

 

you need to have an end

 

ip access-list extended VLAN229_VLAN230_ACL

----

---

ip deny any any to take effect.

 

 

 VLAN229_VLAN230_ACL  <-- I have not seen your config applied in your interface?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dc12132
Level 1
Level 1
In response to balaji.bandi

‎10-29-2019 10:51 AM

Hello,

 

Thanks for the help! I was under the impression that Cisco ACLs had an implicit deny at the end , is that not correct?

Also it is removed from the interface at the moment, as it wasn't working as intended during maintenance period.

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to dc12132

‎10-29-2019 01:48 PM

Yes, there is an implicit deny at the end.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to dc12132

‎10-29-2019 01:51 PM

Look it: By default, there is an implicit deny all clause at the end of every ACL. Anything that is not explicitly permitted is denied.
https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to dc12132

‎10-30-2019 01:41 AM

Yes, there is implicitly deny at the end, another side I have not to see the ACL applied on the interface as per the original post.

 

if that change already did or amended as per other post suggestions, if still not working, can you post latest config to review?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

dc12132
Level 1
Level 1
In response to balaji.bandi

‎10-30-2019 05:56 AM

Hello.

 

I had stated in a previous post, the ACL isn't applied at the moment because it didn't work during my testing period, and this is for a production environment. Thanks for your help !

 

 

0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎10-29-2019 09:36 AM

Hello guys,

 

I will suggest to you use a VACL - VLAN MAPPING.  I created a script to you.

 

Looks below;

 

ip access-list extended VLAN229_VLAN230_ACL
remark BETWEEN_VLANS_229_230
permit ip 10.163.116.0 0.0.1.255 10.163.118.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.116.0 0.0.1.255
remark BETWEEN_VLAN_ITSELF
permit ip 10.163.116.0 0.0.1.255 10.163.116.0 0.0.1.255
permit ip 10.163.118.0 0.0.1.255 10.163.118.0 0.0.1.255
remark BETWEEN_VLANS_TO_.155.224/23
permit ip 10.163.115.224 0.0.0.15 10.163.116.0 0.0.1.255
permit ip 10.163.115.224 0.0.0.15 10.163.118.0 0.0.1.255
permit ip 10.163.116.0 0.0.1.255 10.163.115.224 0.0.0.15
permit ip 10.163.118.0 0.0.1.255 10.163.115.224 0.0.0.15

ip access-list extended DENY_10.0.0/8
permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255


vlan access-map PERMIT_VLAN229_VLAN230_ACL 10
match ip address VLAN229_VLAN230_ACL
action forward

vlan access-map PERMIT_VLAN229_VLAN230_ACL 20
match ip address DENY_10.0.0/8
action drop

vlan access-map PERMIT_VLAN229_VLAN230_ACL 30
action forward

vlan filter PERMIT_VLAN229_VLAN230_ACL vlan-list 229,230

 

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

dc12132
Level 1
Level 1
In response to Jaderson Pessoa

‎10-30-2019 05:54 AM

I will give this a shot! Thank you.
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to dc12132

‎10-30-2019 09:45 AM

ok, we are waiting your return.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

dc12132
Level 1
Level 1
In response to Jaderson Pessoa

‎10-31-2019 11:17 AM

Unfortunately I only am able to test this on Sunday's, as these networks are for automated production systems that run 24/6 . I will provide an update then, sorry for the delay!

0 Helpful

luis_cordova
VIP Alumni
VIP Alumni

‎10-29-2019 09:52 AM - edited ‎10-29-2019 11:20 AM

HI @dc12132 

 

You could try with two ACLs, one for each vlan interface

 

for SVI 229:

access-list 129 permit ip 10.163.116.0 0.0.1.255 10.163.118.0 0.0.1.255

access-list 129 permit ip 10.163.116.0 0.0.1.255 host 10.0.80.25

access-list 129 permit ip 10.163.116.0 0.0.1.255 host 10.18.80.22

access-list 129 permit ip 10.163.116.0 0.0.1.255 10.163.115.224 0.0.1.255

access-list 129 deny ip 10.163.116.0 0.0.1.255 10.0.0.0 0.255.255.255

access-list 129 permit any any

 

interface vlan 229

ip access-list 129 in 

 

for SVI 230:

access-list 130 permit ip 10.163.118.0 0.0.1.255 10.163.116.0 0.0.1.255

access-list 130 permit ip 10.163.118.0 0.0.1.255 host 10.0.80.25

access-list 130 permit ip 10.163.118.0 0.0.1.255 host 10.18.80.22

access-list 130 permit ip 10.163.118.0 0.0.1.255 10.163.115.224 0.0.1.255

access-list 130 deny ip 10.163.118.0 0.0.1.255 10.0.0.0 0.255.255.255

access-list 130 permit any any

 

interface vlan 230

ip access-list 130 in 

 

Regards

0 Helpful
Customers Also Viewed These Support Documents