01-11-2017 09:03 AM - edited 02-20-2020 09:44 PM
Hi All,
I thought I had the ACL's figured out but this rule is bugging me:
interface Vlan40
description ((Servers))
ip address 10.100.40.1 255.255.255.0
ip access-group Secure-Servers out
ip helper-address 127.74.118.150
ip helper-address 127.74.118.140
no ip redirects
ip pim sparse-mode
ip igmp version 3
mls rp ip
arp timeout 300
end
On this ACL Secure-Servers I am seeing the hits below:
360 permit ip host 147.77.130.83 any (6662 matches)
So how is that possible? It is applied in the OUTBOUND directions so surely in an extended ACL above I should only be seeing hits if the SOURCE is 10.100.40.X range because it's access that VLAN and the only range coming out of that vlan is 10.100.40.X according to config above so how does one with source 147.x.x.x get hits? Also there are many different ranges getting hits.
Thanks for your assist
Solved! Go to Solution.
01-11-2017 09:56 AM
The rule above only applies to packets leaving the switch. If you want to see the opposite direction then create another rule for the direction "in".
01-11-2017 09:13 AM
"out" access lists apply in the direction from the vlan/port towards the servers (aka, out of the switches interface).
This just means 147.77.130.83 somewhere else in the network has tried to talk to a 10.100.40.x host, and being a directly connected vlan, it was routed out that vlan/port.
01-11-2017 09:25 AM
Thanks for your response.
Ok so if 147.77.130.83 does talk to 10.100.40.X surely when 10.100.40.X communicates back to 147.77.130.83 it will change the source address to 10.100.40.X so how can we see hits with source 147.77.130.83 to any? It should have been denied according to the rule above right?
01-11-2017 09:56 AM
The rule above only applies to packets leaving the switch. If you want to see the opposite direction then create another rule for the direction "in".
01-12-2017 01:15 AM
Thanks I think I get it now. It's applied for all address leaving that switch from that Subnet or VLAN 40 and not the address range that belongs to vlan 40.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: