Problem with ACL 3560G not block all traffic

zaikini_23 · ‎11-09-2007

Hi!

I have SVI in my 3560G

!

interface Vlan304

ip address x.x.x.x 255.255.255.248 secondary

ip address y.y.y.y 255.255.255.248 secondary

ip address s.s.s.s 255.255.255.248 secondary

ip address z.z.z.z 255.255.255.248

ip access-group Vlan304-in in

and I block network s.s.s.s/29

sh ip access-lists Vlan304-in

Extended IP access list Vlan304-in

deny ip s.s.s.s 0.0.0.7 any

permit ip any any

I have seen in statistics (netflow) the proceeding traffic from this subnet. I have found out that it is inquiries udp on the destination port 5150.

I have changed access-list Vlan304-in:

sh ip access-lists Vlan304-in

Extended IP access list Vlan304-in

deny tcp s.s.s.s 0.0.0.7 gt 0 any gt 0

deny udp s.s.s.s 0.0.0.7 gt 0 any gt 0

permit ip any any

and traffic is stop from this subnet.

Why in the first case the access-list did not block all traffic?

vkapoor5 · ‎11-15-2007

To my knlowledge the first ACL must work, because the first ACL statement will block all IP traffic for the segment. The problem might be the duplicate statment if you applied the first case and second case at a time. Because the access list will take the exact match.