cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2792
Views
2
Helpful
34
Replies

ACL Issues with denying traffic

db3772
Level 1
Level 1

I am not an expert in setting up ACLs, but I have a good understanding of the basics. However, I feel like I might be missing something.

I have set up a new VLAN to provide direct internet access while blocking communication to other VLANs and on-premises devices.

The primary issue I am having is I can still ping and access certain IP addresses even though traffic should be denied, for example, on the OUT ACL I have the 10.0.0.0/8 subnet deny anything but I can still ping the following IPs which I'm assuming they are other virtual interfaces: 10.200.16.2, 10.8.1.2, 10.8.1.49. I also have 172.0.0.0/8 set to deny and I can ping some printers and other devices with the following IPs 172.20.0.2172.20.1.5, 172.20.210.165, 172.20.100.98.

I even set a deny ip any any at the first sequence of the IN and OUT ACL to test and I can still ping these devices but I can't get to anything else. One other thing I cannot figure out is that it seems like no matter what I add on the IN ACL it doesn't affect traffic, the only entry is an implicit deny, and even if I specifically enter in deny ip 10.30.1.0 0.0.0.255 any or entries for the specific ip addresses I can ping, traffic still passes out of the interface.

switches are C9200L-48P

Here is the VLAN config:

 

 

 

interface Vlan30
description GuestWired
ip address 10.30.1.1 255.255.255.0
ip helper-address 172.20.0.x
ip access-group GuestWired-IN in
ip access-group GuestWired-OUT out

 

 

 

Heres the IN ACL

 

 

 

Extended IP access list GuestWired-IN
    999 deny ip any any

 

 

 

Heres the OUT ACL

 

 

 

Extended IP access list GuestWired-OUT
    10 deny ip 172.0.0.0 0.255.255.255 any
    20 deny ip 10.0.0.0 0.255.255.255 any
    30 deny ip 192.0.0.0 0.255.255.255 any
    999 permit ip any any

 

 

 

1 Accepted Solution

Accepted Solutions

this same as your topology (as we know)
NOW R3 GW is 10.0.0.1 and R4 GW is 20.0.0.1

when I ping from R3 to R4 you see success then after I apply ACL 
ip access-extended ICMP
deny icmp host 10.0.0.100 20.0.0.100

the ping failed 
and you can see when I do traceroute from R3 to R4 I must see GW as first Hop, if you see other Hop then ACL is not work becuase the routing is done via other L3 interface 

MHM

Screenshot (505).pngScreenshot (506).png

Screenshot (507).png

View solution in original post

34 Replies 34

balaji.bandi
Hall of Fame
Hall of Fame

you need to understand the ACL first :

In -- when you are running traffic coming INTO the interface through an ACL.
Out -- when you are running traffic leaving the interface through an ACL.

So flip the ACL and test it as below :

interface Vlan30
ip access-group GuestWired-IN out
ip access-group GuestWired-OUT in

I have addressed only related to ACL.

Switch or Router ACL are not statefull, so you need to allow when the traffic return from outside to inside.(if you need to allow)

deny any any - denies everything. you need to adjust the ACL accordingly what need to be permitted.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I'll give that a shot, I was under the impression that the in ACL was traffic originating from inside the VLAN to out and out was originating from outside going to the inside

It didn't work, I can still ping the devices. There should be an implicit deny at the end ACL and deny any any isn't a recognized command, not sure if my device supports it. I re-added deny ip any any to the first sequence to both ACLs so that's what is processed first and I can still ping the devices.

First Share show ip access-list 

Second from which IP you test ping to which IP

MHM

I changed the ACL back to the original I had just for clarity inbound has the IN ACL and outbound has the OUT ACL

here's what the access list is configured as at the moment:

Extended IP access list GuestWired-IN
    10 deny ip any 172.0.0.0 0.255.255.255
    20 deny ip any 10.0.0.0 0.255.255.255 (72 matches)
    30 deny ip any 192.0.0.0 0.255.255.255
    50 permit ip any any (17 matches)
    999 deny ip any any (19 matches)
Extended IP access list GuestWired-OUT
    10 deny ip 172.0.0.0 0.255.255.255 any
    20 deny ip 10.0.0.0 0.255.255.255 any
    30 deny ip 192.0.0.0 0.255.255.255 any
    999 deny ip any any

I'm pinging from a laptop connected to vlan30 with an IP address of 10.30.1.12

I'm doing a constant ping on 172.25.210.12 and 10.200.16.2, currently the 172 is being denied but I can ping the 10.200.16.2 address

Heres roughly how the network is setup:

1.png

 

20 deny ip any 10.0.0.0 0.255.255.255 (72 matches)

Removr above and add 

20 Deny ip any 10.200.16.0 0.0.0.255 

Line must be 20 or less than 50 (permit any any)

MHM

I made the change, no luck I can still ping 10.200.16.2 

Extended IP access list GuestWired-IN
    10 deny ip any 172.0.0.0 0.255.255.255
    20 deny ip any 10.200.16.0 0.0.0.255
    30 deny ip any 192.0.0.0 0.255.255.255
    50 permit ip any any (56 matches)
    999 deny ip any any (19 matches)
Extended IP access list GuestWired-OUT
    10 deny ip 172.0.0.0 0.255.255.255 any
    20 deny ip 10.0.0.0 0.255.255.255 any
    30 deny ip 192.0.0.0 0.255.255.255 any
    999 deny ip any any

Here is a ping from the switch aswell from that vlan:

#ping 10.200.16.2 source Vlan30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.16.2, timeout is 2 seconds:
Packet sent with a source address of 10.30.1.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

 

To test ACL you need to use device conenct to that VLAN not use VLAN SVI' the VLAN SVI is bypass any ACL apply under it.

MHM

In my network setup, I won't be able to connect directly to that layer 3 stack on a port configured with vlan30. The layer 2 switch stack is another building where the laptop is connected to a Meraki switch with the port configured with vlan30. I don't know why the network was designed this way this is just what I'm working with from previous sysadmins. Is there a different way I should approach this? 

It only for testing' and it should done by laptop connect to l3sw or to far l2sw.

Sorry for that but that make us sure our config is correct.

MHM

Ok gotcha, I'll be heading over to that building soon

Take your time' and your ACL direction is OK but the wildcard you use for subnet is not correct.

That all

Goodluck friend in your task

MHM

I just set up the laptop to an access interface with vlan30 on the core stack, I can still ping the 10.200 address but if I apply the ACL to the port itself it blocks the pings and traffic, and works as expected including blocking the other subnets I have entered the like the 172.0.0.0/8 subnet. It seems the issue is isolated to the ACL being applied to the VLAN interface

ok i understand what you saying.

can we get show run full configuration for us to review, and where is the ping intiated and where that is connected.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Review Cisco Networking for a $25 gift card