09-28-2022 09:53 AM
The tech who implemented our network quit. I'm trying to modify the switch.
We have some Cisco SX550X-12F switches. The tech setup vlans on the coreswitch. the Core switch is using ACE and ACL to allow or prevents vlans from talking to each other.
I'm trying to get 1 specific computer from Vlan3 to remote desktop into vlan4. Based on his instructions, I go to "Access Control -> IPv4-based ACE" I choose my ACL Name (click Go). now I see a list of ACEs.
I click Add, i enter the Source IP address with wildcard mask, then the destination with IP address and wildcard mask. when I click [Apply], i get an error:
"Cannot delete/modify ACE While the ACL is bound to an interface or Class-map."
A quick google search says to look at Access Control -> ACL Binding (Vlan). they are all saying "Default action" is "Deny any". is this where i change the binding? select the Vlan name then do I delete it or change it to Permit?
I looked at Access Control -> ACL Binding (Port) but i'm not sure if htis is the right spot.
Am I going the right way? or is there somewhere else to look?
Or am I in the wrong spot?
Can someone direct me where to look and maybe something for me to read up on how to resolve this? thanks.
09-28-2022 12:58 PM
Hello
As the console message is stating the acl is tied into an class-map which is then probably assigned to a policy as such it’s not allowing any modification.
Can you share the running configuration of the switch and detail what access-list you are trying to change>
Lastly you may find it much easier from the CLI of the switch when modifying access-lists.
09-29-2022 11:18 AM - edited 09-29-2022 11:19 AM
Hi Paul. thanks for writing back. I'm a little hesitant to post the running configuration since that's the backbone of our system. I did search through the file: here is where the ACL is set up:
---
ip access-list extended VLAN_SIXTY
permit udp any netbios-ns any netbios-ns ace-priority 5
permit tcp any any 172.16.50.37 0.0.0.0 smtp ace-priority 7
permit udp any any 172.16.50.23 0.0.0.0 domain ace-priority 8
permit ip any 172.16.30.0 0.0.0.255 ace-priority 10
exit
---
In this situation, I want to update the 172.16.50.23 IP address since that computer no longer exists.
Further down I have :
!
interface vlan 60
name PRINTER
ip address 172.16.60.1 255.255.255.0
service-acl input VLAN_SIXTY
is this the interface that that is causing this "bound" error? Any suggestions on resolving it?
10-03-2022 09:36 AM
It does look like this is the interface that is causing the error. If you remove the line "service-acl input VLAN_SIXTY" you should be able to make changes in the access list. After you change the acl then restore that line to the interface. If you try this and still get the error then you should look for something else that references VLAN_SIXTY.
I am not clear what the impact would be on your network when you remove the line from the acl. You might want to make these changes during a maintenance window.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide