09-06-2018 08:49 AM - edited 02-21-2020 08:12 AM
I have a working ACL. It is applied inbound on the switch port with a server attached. However, the logic is confusing me, as if I switch src/dest around, it no longer works.
Setup:
3650 Switch, server on port g1/0/7. Switch trunked to a pair of 9k's in VPC mode
NTP server is 10.0.0.2
NTP client is 192.168.2.1
192.168.1.0 is a management network
ACL applied as so: ip access-group NTP_Working in on g1/0/7
ACL working:
ip access-list extended NTP_Working
permit udp host 10.0.0.2 eq ntp host 192.168.2.1
permit tcp host 10.0.0.2 eq www 192.168.1.0 0.0.0.255
permit tcp host 10.0.0.2 eq 443 192.168.1.0 0.0.0.255
permit icmp host 10.0.0.2 192.168.1.0 0.0.0.255 echo-reply
ACL Not working (just flipped source/dest):
ip access-list extended NTP_Not_Working
permit udp host 192.168.2.1 eq ntp host 192.168.2.1
permit tcp 192.168.1.0 0.0.0.255 eq www host 10.0.0.2
permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.2 eq 443
permit icmp 192.168.1.0 0.0.0.255 host 10.0.0.2 echo-reply
All my logic is allow xx from source to destination. But taht is not working here.
09-06-2018 10:13 AM
you are definitely using it correct in source/destination order of ACE:
is it just NTP that beaks or all the other traffic in the ACL as well?
09-06-2018 10:27 AM
All traffic listed breaks, ie: www access and pings.
Which ACL do you say looks good, the one labeled working or not working?
Thanks!
09-06-2018 10:14 AM
you are definitley using it correct in source/destination in your ACE's:
is it just NTP thta breaks or other traffic in the ACL as well?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide