ACL BLOCKING LOOKING ODD

Temitopeogunwola · ‎04-15-2020

I noticed our switch randomly block phones on vlan 34 which is odd.Some of this communication are within the same subnet and should not be hitting the access list at all.

Here is my log

.29.132(48378) (Vlan34 004e.006e.0000) -> 10.20.28.13(80), 1 packet
*Apr 15 22:03:04.421: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.20.29.132(48381) (Vlan34 004e.006e.0000) -> 10.20.28.13(80), 1 packet
*Apr 15 22:03:14.427: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.20.29.132(48383) (Vlan34 004e.006e.0000) -> 10.20.28.13(80), 1 packet
*Apr 15 22:03:15.439: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.20.29.132(48386) (Vlan34 004e.006e.0000) -> 10.20.28.13(80), 1 packet
*Apr 15 22:03:16.451: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.20.29.132(48388) (Vlan34 004e.006e.0000) -> 10.20.28.13(80), 1 packet
*Apr 15 22:03:24.412: %BUFCAP-6-DISABLE: Capture Point cap disabled.
*Apr 15 22:03:24.726: %SEC-6-IPACCESSLOGP: list 134 denied udp 10.20.29.211(57138) (Vlan34 01dc.0200.0400) -> 10.20.28.11(5060), 1 packet

The access-list 134 is below:

cisco-stack1#show ip access-list 134
Extended IP access list 134
9 permit ip any host 10.20.0.119
10 permit ip any host 10.20.28.1 (124 matches)
20 permit ip any host 10.20.22.1
29 permit ip 10.20.28.0 0.0.1.255 host 192.168.254.22
30 permit ip 10.20.28.0 0.0.1.255 host 192.168.154.205
31 permit ip 10.20.28.0 0.0.1.255 host 10.20.5.22
32 permit ip 10.20.28.0 0.0.1.255 host 10.20.5.23
40 permit udp 10.20.28.0 0.0.1.255 host 10.20.5.14 eq domain
50 permit udp 10.20.28.0 0.0.1.255 host 10.20.5.15 eq domain
60 permit ip host 10.20.28.10 host 192.168.154.49
61 permit ip host 10.20.28.10 host 192.168.154.71
62 permit ip host 10.20.28.10 any
70 permit ip host 10.20.28.11 host 192.168.154.49
71 permit ip host 10.20.28.11 any
80 permit ip host 10.20.28.12 host 192.168.154.49
81 permit ip host 10.20.28.12 host 192.168.154.71
82 permit ip host 10.20.28.12 any
90 permit ip host 10.20.28.13 host 192.168.154.49
91 permit ip host 10.20.28.13 any
92 permit ip host 10.20.28.15 any
100 deny ip any 10.0.0.0 0.255.255.255 log-input (3067200 matches)
110 deny ip any 172.16.0.0 0.0.15.255
120 deny ip any 192.168.0.0 0.0.255.255 (54250 matches

Any ideas to fix this please

Muhammad Awais Khan · ‎04-15-2020

hi,

this IP "10.20.28.13 "looks like for Cucm right ?

IP Phones need communication to communication manager servers, Voice gateway Routers and maybe communication to Webex/Jabber if configured.

Did you allowed that in your list ?

Temitopeogunwola · ‎04-16-2020

Thanks,
the ip 10.20.28.13 is a server,host withing vla 34 tries to communicate with it

Temitopeogunwola · ‎04-16-2020

Local span Capture on po1 (which goes to ip phone 10.X.X.X ) displays traffic from the ip phone to 10.20.28.13 with a destination mac of 22:Ac:1a:0c:ab:c1 which is the mac address of SVI vlan34 on the c9200L. This explains why this traffic is being processed on SVI vlan34 and consequently being processed by ACL 134 even though both devices are the same subnet.
Traffic destined for 10.20.28.13 should have the mac address of 10.20.28.13

TriAngel · ‎04-16-2020

100 deny ip any 10.0.0.0 0.255.255.255 log-input (3067200 matches)
This ACL is used by all Deny source IP addresses to access the destination network 10.0.0.0 255.0.0.0.
I think it is related to this ACL.

100 deny ip any 10.0.0.0 0.255.255.255 log-input (3067200 matches)
这个ACL是Deny所有源IP地址访问10.0.0.0 255.0.0.0这个目的网络。
我觉得是和这个ACL有关系的。

CCIE #62933