Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
2
Helpful
4
Replies

ACL on c9300 issue

dragonhunt9111
Level 1
Level 1

‎11-21-2023 06:19 PM - edited ‎11-21-2023 06:53 PM

Hi friends,

I have switch 9300 in simple topology like this:

PC admin -----------(int vlan 40)c9300-(int vlan 60)--------Vcenter

dragonhunt9111_0-1700618799484.png

I create an ACL on C9300 to allow only PC admin access vcenter web gui

ip access-list extended Vcenter 

permit ip host 172.30.40.100 host 172.30.60.100

deny ip any any

exit

int vlan 60

ip access-group Vcenter  out

exit

From PC can telnet 443 and access web gui on vcenter. But problem is after accessing webgui of vcenter, I press button launch HTML

dragonhunt9111_1-1700619364985.png

It loading forever...and not show login screen.

Then I try edit ACL , change source to any:

permit ip host 172.30.40.100 host 172.30.60.100 =>change to: permit ip any host 172.30.60.100

Then it access vcenter without above problem.

I try to edit source of ACL to full subnet of company (172.30.0.0/16) but also not work, only if source is any , it works.

Please have any ideals, thanks you!!

 

 

 

 

 

 

0 Helpful
4 Replies 4

M02@rt37
VIP
VIP

‎11-22-2023 12:52 AM

Hello @dragonhunt9111 

You can enable logging to see if there are denied packets. This can help identify if there are additional ports or protocols being used by the vCenter that are being blocked.

ip access-list extended Vcenter
permit ip any host 172.30.60.100 log
deny ip any any log

Then check the logs to see if any packets are being denied that might be related to the issue.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

dragonhunt9111
Level 1
Level 1

‎11-22-2023 01:44 AM - edited ‎11-22-2023 01:45 AM

Dear,

Finally, I found the cause, it is because Vcenter behavior, 

when from PC access web gui of vcenter, then vcenter will call DNS server , then DNS server reply vcenter, and get droped by ACL (which only permit IP of my PC) - I dont know why vcenter acts like that.

I found it call DNS server when debugging ip packet on switch 9300.

Thank all

Richard Burts
Hall of Fame
Hall of Fame
In response to dragonhunt9111

‎11-22-2023 02:54 PM

Thanks for sharing your experience and the explanation of the issue and how you found it. Other participants in the community may find this helpful.

HTH

Rick
0 Helpful

paul driver
VIP
VIP

‎11-22-2023 06:29 PM

Hello
Looking at the acl you had it applied the wrong away around, svi acl logic is:

Inside = originating from within the vlan
Outside = originating outside the vlan

So the below should acl work specifying a single host.

ip access-list extended Vcenter
permit ip host 172.30.60.100 host 172.30.40.100
exit

int vlan 60
ip access-group Vcenter IN


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card