ACL not denying traffic

sejamc71 · ‎02-24-2023

I don't have a lot of experience with ACLs and I am trying to create an ACL on a switch that will block a specific subnet from accessing the other networks on the switch.

Network management IP of switches 10.0.22.0/23

switch A Mgmt IP 10.0.22.1

Switch L3 interfaces 172.16.22.0/23 - wired, 10.0.22.0/23-wireless mgmt, 10.0.24.0/23 - wireless and 10.10.24.0/23 - Guest

I want to create an ACL that will stop 10.10.24.0/23 from talking to the other subnets. I came up with the following, but it doesn't seem to be working.

L3 Interface Config

interface GigabitEthernet0/0/2.1124
description SBI-Guest
encapsulation dot1Q 1124
ip address 10.10.24.1 255.255.254.0
ip access-group Guest-Access in
ip helper-address 172.16.22.24
no ip redirects
!

ACL config

ip access-list extended Guest-Access
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
deny ip 10.10.24.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.10.24.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.10.24.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any
permit tcp any any

Any thoughts on why this is not working?

MHM Cisco World · ‎02-24-2023

ip access-group Guest-Access OUT

Only change the direction of acl

sejamc71 · ‎02-24-2023

Thank you, I will try that

sejamc71 · ‎02-24-2023

That did not seem to work. I am still able to ping between subnets

interface GigabitEthernet0/0/2.1124
description SBI-Guest
encapsulation dot1Q 1124
ip address 10.10.24.1 255.255.254.0
ip helper-address 172.16.22.24
no ip redirects
ip access-group Guest-Access out

MHM Cisco World · ‎02-24-2023

deny ip 10.10.24.0 0.0.0.255 10.0.0.0 0.255.255.255

But the interface is 255.255.254.0

Match then and it sure work

sejamc71 · ‎02-24-2023

so I changed my ACL to the following, but still able to ping between subnets

ip access-list extended Guest-Access
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
permit ip any any
permit tcp any any
deny ip 10.10.24.0 0.0.0.254 10.0.0.0 0.255.255.255
deny ip 10.10.24.0 0.0.0.254 172.16.0.0 0.15.255.255
deny ip 10.10.24.0 0.0.0.254 192.168.0.0 0.0.255.255

MHM Cisco World · ‎02-24-2023

deny ip 10.10.24.0 0.0.1.255 10.0.0.0 0.255.255.255

This what must be it wildcard for 255.255.254.0

paul driver · ‎02-24-2023

Hello

@sejamc71 wrote:

Switch L3 interfaces 172.16.22.0/23 - wired, 10.0.22.0/23-wireless mgmt, 10.0.24.0/23 - wireless and 10.10.24.0/23 - Guest

I want to create an ACL that will stop 10.10.24.0/23 from talking to the other subnets. Any

So you have switch L3 SVI's, if so i would apply the ACL on the subnet you wish to deny from the other vlans.

ip access-list extended deny-subnets
deny ip any 10.0.22.0 0.0.1,255
deny ip any 10.0.24.0 0.0.1,255
deny ip any 10.10.24.0 0.1.255
permit ip any any

Int vlan xx
ip address 172.16.0.22.x 255.255.254.0
ip access-group deny-subnets IN

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

sejamc71 · ‎02-24-2023

This is what I have

ip access-list extended Guest-Access
permit udp any any eq bootpc
permit udp any any eq bootps
permit udp any any eq domain
permit ip any any
permit tcp any any
deny ip 10.10.24.0 0.0.1.255 10.0.0.0 0.255.255.255
deny ip 10.10.24.0 0.0.1.255 172.16.0.0 0.15.255.255
deny ip 10.10.24.0 0.0.1.255 192.168.0.0 0.0.255.255

interface GigabitEthernet0/0/2.1124
description SBI-Guest
encapsulation dot1Q 1124
ip address 10.10.24.1 255.255.254.0
ip helper-address 172.16.22.24
no ip redirects
ip access-group Guest-Access out
!

MHM Cisco World · ‎02-24-2023

Hi so is it work or not ??

sejamc71 · ‎02-24-2023

Sorry, it is not working. from a server on 172.16.22.xxx, I can ping the 10.10.24.1 subnet. I would think that I would not be able to ping from 172.16.22.xxx to the applicable subnet.

MHM Cisco World · ‎02-24-2023

172.16.22.xxx >> 172.16.0.0 0.15.255.255 <<- this wildcard also have issue I think it must be 0.0.255.255

also share
show access-list <<- let see which line have hit count

sejamc71 · ‎02-26-2023

I have an ACL in place. I am waiting on an onsite resource to do some testing. I have to be cautious so as to not cause a network outage or DHCP issue. I'm hoping to do more testing next week. If what I have doesn't work, I will try your ACL config above. Thank you

sejamc71 · ‎02-24-2023

sh access-lists

Extended IP access list Guest-Access
10 permit udp any any eq bootpc
20 permit udp any any eq bootps (4 matches)
30 permit udp any any eq domain (778 matches)
70 permit ip any any (211908 matches)
80 permit tcp any any
90 deny ip 10.10.24.0 0.0.1.255 10.0.0.0 0.255.255.255
100 deny ip 10.10.24.0 0.0.1.255 172.16.0.0 0.15.255.255
110 deny ip 10.10.24.0 0.0.1.255 192.168.0.0 0.0.255.255

MHM Cisco World · ‎02-24-2023

Extended IP access list Guest-Access
10 permit udp any any eq bootpc
20 permit udp any any eq bootps (4 matches)
30 permit udp any any eq domain (778 matches)
70 permit ip any any (211908 matches) <<- this hit
80 permit tcp any any
90 deny ip 10.10.24.0 0.0.1.255 10.0.0.0 0.255.255.255 <<- this not work since you add it without line number and it take by default number below permit ip any any
100 deny ip 10.10.24.0 0.0.1.255 172.16.0.0 0.15.255.255
110 deny ip 10.10.24.0 0.0.1.255 192.168.0.0 0.0.255.255

only remove totall ACL with
no access-list command
and enter the ACL again with correct line number and put the permit ip any any in end of ACL

NOTE:- make double check all wildcard you use in ACL