10-26-2015 06:08 AM - edited 03-05-2019 02:36 AM
Hi All,
how can I apply acl to locally generated traffic from a 3550 switch .
I have setup an extended acl on the inboud direction to outside interface which is blocking all traffics generated locally unless they are explicity allowed.
I have setup reflective acl but it does not apply to locally generated traffic
I know this is because locally generated traffic bypass all access list but when the traffic returns it gets blocked due to inboud acl on outside interface.
I read an article mentioning we could apply route map policy and set the re enter the locally generated traffic back to the switch and out from outside interface but the switch does not have an ability for route maps.
http://blog.ine.com/tag/reflexive-acls/
! ! Redirect local telnet traffic via the Loopback interface ! ip access-list extended LOCAL_TRAFFIC permit tcp any any eq 23 ! route-map LOCAL_POLICY 10 match ip address LOCAL_TRAFFIC set interface Loopback0 ! ! Traffic sent to Loopback interface re-enters the router ! interface Loopback0 ip address 150.1.6.6 255.255.255.50 ! ! Apply the local-policy !
10-28-2015 08:36 AM
Hi,
We can not apply ACL on generating traffic by switch. We can apply ACL on inbound and outbound to transmit and receiving packets, but we cannt restrict switch to generate traffic.
10-28-2015 09:52 AM
ok the issue is if you apply inbound acl on outside interface then all traffic sent to the switch is blocked right? even if the switch initiates this traffic .
I know when it is initiated it is not subject to inspection but when it comes back it is .
so rather than predecting all single scenarios and have a rule on inbound acl, is there an alternative ?
10-28-2015 10:36 AM
Can you clarify where you setup the reflexive acl because the 3550 doesn't support them.
Jon
10-28-2015 10:46 AM
I did and it worked for traffic through it . I know it was 12 . Something
10-28-2015 10:48 AM
Okay, well that's news to me.
The only Catalyst switch I am aware of that supports them is the 6500.
Jon
10-28-2015 10:53 AM
I can take screen shots :)
I have an evalute on inbound acl and reflective on outbound
10-28-2015 11:08 AM
Is it working for clients connected to the switch ?
It's just that reflexive acls have only really been supported on routers just like NAT.
The fact the 6500 supports them is down to it's extra features.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide