Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
0
Helpful
7
Replies

cisco switch reflective acl locally generated traffic

cisco8887
Level 2
Level 2

‎10-26-2015 06:08 AM - edited ‎03-05-2019 02:36 AM

Hi All,

 

how can I apply acl to locally generated traffic from a 3550 switch .

 

I have setup an extended acl on the inboud direction to outside interface which is blocking all traffics generated locally unless they are explicity allowed.

 

I have setup reflective acl but it does not apply to locally generated traffic

 

I  know this is because locally generated traffic bypass all access list but when the traffic returns it gets blocked due to inboud acl on outside interface.

 

I read an article mentioning we could apply route map policy and set the re enter the locally generated traffic back to the switch and out from outside interface but the switch does not have an ability for route maps.

 

http://blog.ine.com/tag/reflexive-acls/

 

 

!
! Redirect local telnet traffic via the Loopback interface
!
ip access-list extended LOCAL_TRAFFIC
 permit tcp any any eq 23
!
route-map LOCAL_POLICY 10
 match ip address LOCAL_TRAFFIC
 set interface Loopback0
!
! Traffic sent to Loopback interface re-enters the router
!
interface Loopback0
 ip address 150.1.6.6 255.255.255.50

!
! Apply the local-policy
!
Labels:
0 Helpful
7 Replies 7

NIKH.SHRI1
Level 1
Level 1

‎10-28-2015 08:36 AM

Hi,

We can not apply ACL on generating traffic by switch. We can apply ACL on inbound and outbound to transmit and receiving packets, but we cannt restrict switch to generate traffic.

0 Helpful

cisco8887
Level 2
Level 2
In response to NIKH.SHRI1

‎10-28-2015 09:52 AM

ok the issue is if you apply inbound acl on outside interface then all traffic sent to the switch is blocked right? even if the switch initiates this traffic .

I know when it is initiated it is not subject to inspection but when it comes back it is .

so rather than predecting all single scenarios and have a rule on inbound acl, is there an alternative ?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to cisco8887

‎10-28-2015 10:36 AM

Can you clarify where you setup the reflexive acl because the 3550 doesn't support them.

Jon

0 Helpful

cisco8887
Level 2
Level 2
In response to Jon Marshall

‎10-28-2015 10:46 AM

I did and it worked for traffic through it . I know it was 12 . Something

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to cisco8887

‎10-28-2015 10:48 AM

Okay, well that's news to me.

The only Catalyst switch I am aware of that supports them is the 6500.

Jon

0 Helpful

cisco8887
Level 2
Level 2
In response to Jon Marshall

‎10-28-2015 10:53 AM

I can take screen shots :)

I have an evalute on inbound acl and reflective on outbound

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to cisco8887

‎10-28-2015 11:08 AM

Is it working for clients connected to the switch ?

It's just that reflexive acls have only really been supported on routers just like NAT.

The fact the 6500 supports them is down to it's extra features.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card