Re: ACL list on routing interface BGP

Evert0505 · ‎05-30-2022

Good day,

I have 2 connected switches over a p2p link using BGP.

we want to only allow connection to the internet (Public IP ranges) and some internal network ports to be exposed. However, the below test is not working at all. All the matches are on the BGP point-to-point interfaces and traffic is getting true.

I want to block all traffic to and from 172.22.201.52

Interface configuration:

interface Ethernet1/41.100
description xxxx
encapsulation dot1q 100
ip access-group test1 in
ip access-group test1 out
vrf member xxxx
ip address 172.22.193.100/31
no shutdown




IP access list test1
statistics per-entry
10 deny ip any 172.22.201.52/32 [match=0]
11 deny ip 172.22.201.52/32 any [match=0]
90 permit ip 172.22.193.0 0.0.0.255 172.22.193.0 0.0.0.255 [match=24770]

Thank you in advance,

Evert

Jon Marshall · ‎05-30-2022

Not sure what you are trying to do.

If you want to block all traffic to and from 172.22.193.0/24 why do you have a permit line for that subnet in your acl ?

Jon

MHM Cisco World · ‎05-30-2022

Can you more elaborate ?

Evert0505 · ‎05-30-2022

Thanks for the fast response! I did change the treat.

There is a BGP session running on the same interface so that need's to get true.

But to make it more clear I want to block 172.22.201.52. However, if I ping it I can see that it got a hit on : 90 permit ip 172.22.193.0 0.0.0.255 172.22.193.0 0.0.0.255

Jon Marshall · ‎05-30-2022

So you don't want to block 172.22.193.0/24 ?

I am still not really understanding what you are trying to do.

If you are able to ping 172.22.201.52 where are you pinging it from in relation to the interface you have applied the acl to ?

Jon

Evert0505 · ‎05-30-2022

I'm very sorry, I think I found the problem if you do something like this you should also apply it on the second switch in order to get it working and do a full test.... Sorry for your time!

I will upload my full ACL list so at least someone who is working on ACL lists can use it!

paul driver · ‎05-30-2022

Hello

Can you post the output of the following please:

sh ip bgp sum
sh ip bgp
sh ip route bgp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Evert0505 · ‎05-31-2022

Goodmorning, Bellow the full list and this is working.

Allowing a BGP connection on the interface subnet /24 as I'm doing another switch I did add another range as well (172.22.193.0 and 172.22.194.0)

This is blocking any private IP address and allowing the devices to go to any public IP addresses (Inet)

Interface configuration:

interface Ethernet1/41.100
  description interface
  encapsulation dot1q 100
  ip access-group Acceslist in
  vrf member x
  ip address 172.22.193.100/31
  no shutdown

Object groups

IPv4 address object-group BGPpeer
        10 172.22.193.0 0.0.0.255
        20 172.22.194.0 0.0.0.255
IPv4 address object-group loopback1
        10 172.22.192.0 0.0.0.255
IPv4 address object-group private
        10 192.168.0.0 0.0.255.255
        20 172.18.0.0 0.15.255.255
        30 10.0.0.0 0.255.255.255

ACL list

IP access list Acceslist
        100 remark allow acces to Loopback subnet
        101 permit ip any addrgroup loopback1
        102 permit ip addrgroup loopback1 any
        940 remark Allow BGP peer
        941 permit ip addrgroup BGPpeer addrgroup BGPpeer
        950 remark Deny all Private IP ranges (RFC1918)
        951 deny ip addrgroup private any
        1000 remark Allow any Public Ip ranges
        1001 permit ip any any

Thank you all for the help. If you have questions about this, just let me know.