Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1505
Views
5
Helpful
10
Replies

ACL issue

Go to solution
kumar.krishna1
Level 1
Level 1

‎03-18-2019 06:04 AM

Hi friends,

 

I am facing a strange issue in ACL. we have many Cisco 4500 series VSS pair in all our branch offices acting as a core. we have below kind of ACL.

Extended IP access list 101
10 permit udp any eq bootpc host 255.255.255.255 eq bootps (14 matches)
20 permit ip 10.253.69.160 0.0.0.31 host 10.252.32.54 (676 matches)
70 permit ip 10.253.69.160 0.0.0.31 host 10.252.72.159 (19503 matches)
100 permit ip 10.253.69.160 0.0.0.31 host 10.252.184.35
110 deny ip 10.253.69.160 0.0.0.31 10.0.0.0 0.255.255.255
120 permit ip any any
 

 

interface Vlan500
description L3_for_non-IT_devices_VLAN
ip address 10.253.69.190 255.255.255.224
ip access-group 101 in

 

The problem is, when we ping any IP which is supposed to be blocked by this ACL, is pinging successfully. and we dont see any hit count also. 

 

ping 10.253.40.250 source vlan 500
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.253.40.250, timeout is 2 seconds:
Packet sent with a source address of 10.253.69.190
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/12 ms

 

 

All the branch office core switches have similar config and all are successfully pinging. Anyone know why this ACL is not working?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎03-18-2019 06:31 AM - edited ‎03-18-2019 06:33 AM

Hi,

First of all, Share your network diagram. Meanwhile, try this (line 5) in the ACL and share the output.

 

Extended IP access list 101

5 deny icmp 10.253.69.160 0.0.0.31 10.0.0.0 0.255.255.255
10 permit udp any eq bootpc host 255.255.255.255 eq bootps (14 matches)
20 permit ip 10.253.69.160 0.0.0.31 host 10.252.32.54 (676 matches)
70 permit ip 10.253.69.160 0.0.0.31 host 10.252.72.159 (19503 matches)
100 permit ip 10.253.69.160 0.0.0.31 host 10.252.184.35
110 deny ip 10.253.69.160 0.0.0.31 10.0.0.0 0.255.255.255
120 permit ip any any

 

Note: Don't generate ICMP traffic from the Switch itself. This ACL will not work. If you want to block traffic which is generated by the Switch itself then apply the ACL on Control Panel.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎03-18-2019 06:14 AM

Hi there,

Is that the correct ACL? Exactly which line of your ACL is supposed to block the return ICMP traffic?

 

cheers,

Seb.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-18-2019 06:22 AM

 

The acl will not apply to traffic sourced from the switch itself. 

 

What happens if you ping from a client in vlan 500 ? 

 

Jon

Go to solution
kumar.krishna1
Level 1
Level 1
In response to Jon Marshall

‎03-18-2019 06:44 AM

Hi Jon,

 

Are you sure of that? ACL will not be applicable for the traffic sourced from the switch itself?

We couldnt ping from the client as the devices connected in that vlan are some hardware which we dont have any access and no ping option. as its in remote location, we couldnt test. Accidently we just pinged and getting no clue.

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎03-18-2019 06:31 AM - edited ‎03-18-2019 06:33 AM

Hi,

First of all, Share your network diagram. Meanwhile, try this (line 5) in the ACL and share the output.

 

Extended IP access list 101

5 deny icmp 10.253.69.160 0.0.0.31 10.0.0.0 0.255.255.255
10 permit udp any eq bootpc host 255.255.255.255 eq bootps (14 matches)
20 permit ip 10.253.69.160 0.0.0.31 host 10.252.32.54 (676 matches)
70 permit ip 10.253.69.160 0.0.0.31 host 10.252.72.159 (19503 matches)
100 permit ip 10.253.69.160 0.0.0.31 host 10.252.184.35
110 deny ip 10.253.69.160 0.0.0.31 10.0.0.0 0.255.255.255
120 permit ip any any

 

Note: Don't generate ICMP traffic from the Switch itself. This ACL will not work. If you want to block traffic which is generated by the Switch itself then apply the ACL on Control Panel.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
kumar.krishna1
Level 1
Level 1
In response to Deepak Kumar

‎03-18-2019 06:39 AM

Hi Deepak,

 

Its still pinging even after i added the line 

5 deny icmp 10.253.69.160 0.0.0.31 10.0.0.0 0.255.255.255

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to kumar.krishna1

‎03-18-2019 06:42 AM

The acl will not apply to traffic sourced from the switch itself.

Try it from a PC, please.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to kumar.krishna1

‎03-18-2019 09:28 AM

Hi,

As I already mentioned that don't test this ACL from the switch itself. It will not block the traffic. You have to connect a Desktop/Laptop on the switch and test it again.

 

I am happy that my solution has worked for you.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
kumar.krishna1
Level 1
Level 1
In response to Deepak Kumar

‎03-18-2019 06:54 AM

Thanks all.

 

Let me test by connecting a PC to the switch. Thanks for all your guidelines. Much appreciate it.

0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-18-2019 06:33 AM

Hello,

Are you trying do this ping directly from your L3 device?

Could you try it from a PC?
I checked your ACL and it hasn't wrong configuration.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Go to solution
Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-18-2019 06:50 AM

@kumar.krishna1 ,

 

I had the same configuration here:

Extended IP access list REDEJAPAN
Extended IP access list REDEJAPAN
permit tcp 172.20.22.192 0.0.0.63 any host 172.20.14.199 domain ace-priority 1
deny ip 172.20.22.192 0.0.0.63 172.20.14.0 0.0.0.255 ace-priority 60
deny ip 172.20.22.192 0.0.0.63 172.20.15.0 0.0.0.255 ace-priority 80
deny ip 172.20.22.192 0.0.0.63 172.20.20.0 0.0.0.255 ace-priority 100
deny ip 172.20.22.192 0.0.0.63 172.20.10.0 0.0.1.255 ace-priority 240
permit ip any any ace-priority 300

 

From switch itself, it doesn't working, because The acl will not apply to traffic sourced from the switch itself. 

 

SWC-PBLDTC-01#ping 172.20.14.200 source 172.20.22.193
Pinging 172.20.14.200 with 18 bytes of data:

18 bytes from 172.20.14.200: icmp_seq=1. time=0 ms
18 bytes from 172.20.14.200: icmp_seq=2. time=0 ms
18 bytes from 172.20.14.200: icmp_seq=3. time=10 ms
18 bytes from 172.20.14.200: icmp_seq=4. time=10 ms

 

BUT from the host i cant ping.

 

Regards

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card