Solved: Extended ACL not work on cisco 1941

horboyz123 · ‎06-03-2012

I apply extended ACL on my router cisco 1941, but it didn't work. So I tried to apply standard ACL, it's work. I'm not sure about my cisco 1941 IOS is support extended ACL. My cisco IOS is

Cisco CISCO1941/K9

c1900-universalk9-mz.SPA.151-4.M1.bin

-----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

------------------------------------------------------------------

ipbase ipbasek9 Permanent ipbasek9

security None None None

data None None None

Below is extended and standard ACL that I use to test apply on cisco 1941 gigabit ethernet interface

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 7 in

ip flow ingress

duplex auto

speed auto

access-list 7 permit any

Result: All traffic can pass this interface

Standard IP access list 7

10 permit any (688 matches)

----------------------------

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 100 in

ip flow ingress

duplex auto

speed auto

access-list 100 permit ip any any

Result: All traffic never pass this interface

Extended IP access list 100

10 permit ip any any

--------------------------

How can I solve this problem ?? Is it IOS bug or limit feature on hardware.

Richard Burts · ‎06-04-2012

This certainly seems to be buggy behavior. Access list 100 applied on the interface with ip access-group 100 in should work and the ping should be successful. I am surprised that it is not working. I do have a few suggestions:

- if this router is covered by a maintenance agreement then opening a case with Cisco TAC would be a good thing to do.

- I wonder if some other access list number might work. If you tried, for example access-list 150 permit ip any any and apply it to the interface does it make any difference.

- c1900-universalk9-mz.SPA.151-4.M1.bin has been improved and updated. Can you try c1900-universalk9-mz.SPA.151-4.M4.bin and see if it works better?

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎06-03-2012

I am not clear what the issue here is. But I know that 1941 routers with the IPBase license should support extended access lists on the Gig0/0 interface.

Please re-configure the interface with the extended access list. Then attempt to send some traffic. Then do these commands and post the output:

show access-list

show ip interface Gig0/0

HTH

Rick

HTH

Rick

horboyz123 · ‎06-03-2012

Hi Rick.

I tried to do with your advice configure and send ping traffic to this interface, so extended access-list still not work. Please see result below.

Standard access-list result

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 7 in

ip flow ingress

duplex auto

speed auto

xxx#ping 172.29.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.29.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

xxx#sho access-lists 7

Standard IP access list 7

10 permit any (203 matches)

xxxn#sho ip interface gigabitEthernet 0/0

GigabitEthernet0/0 is up, line protocol is up

Internet address is 172.29.1.2/24

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.5 224.0.0.6

Outgoing access list is not set

Inbound access list is 7

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

BGP Policy Mapping is disabled

Input features: Ingress-NetFlow, Access List, MCI Check

Output features: Post-Ingress-NetFlow

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

----------------------------

Extended Access-list result

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 100 in

ip flow ingress

duplex auto

speed auto

xxx#ping 172.29.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.29.1.2, timeout is 2 seconds:

.....

xxx#sho access-lists 100

Extended IP access list 100

10 permit ip any any

xxx#sho ip int g0/0

GigabitEthernet0/0 is up, line protocol is up

Internet address is 172.29.1.2/24

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Multicast reserved groups joined: 224.0.0.5 224.0.0.6

Outgoing access list is not set

Inbound access list is 100

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

BGP Policy Mapping is disabled

Input features: Ingress-NetFlow, Access List, MCI Check

Output features: Post-Ingress-NetFlow

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

Thanks

WIT

Sandeep Choudhary · ‎06-03-2012

can you try this one:

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 100 in

ip flow ingress

duplex auto

speed auto

Config this access list:

ip access-list extended 100

permit tcp any any

permit udp any any

permit tcp any any eq 22

permit icmp any any echo

permit icmp any any traceroute

If this help then please rate.

Regards

horboyz123 · ‎06-04-2012

Hi Sandeep

I just tried your configure, it's still not work. The result was same as last configure.

cadet alain · ‎06-04-2012

Hi,

Could you post your sanitized running config and tell us from where you are trying this ping.

Regards.

Alain

Don't forget to rate helpful posts.

horboyz123 · ‎06-04-2012

Hi Alain,

Below is my router configuration

Current configuration : 3444 bytes

!

! Last configuration change at 09:20:03 UTC Mon Jun 4 2012 by aaabbb

! NVRAM config last updated at 11:16:51 UTC Mon May 21 2012 by aaabbb

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxx

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$Oo.I$WOvVZ1MJWkDqAXupZioCQ/

!

aaa new-model

!

aaa authentication enable default group radius

!

aaa session-id common

!

no ipv6 cef

!

ip cef

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

license udi pid CISCO1941/K9 sn FGL160226BE

!

username aaabbb privilege 15 secret 5 $1$JRTo$mAU1yOzNFMH7jONZAMs/r0

!

interface Tunnel0

ip address 10.188.188.1 255.255.255.252

keepalive 10 3

tunnel source 10.100.118.238

tunnel destination 10.100.118.226

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 100 in

ip flow ingress

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.200.1 255.255.255.0

ip flow ingress

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

clock rate 2000000

!

interface Serial0/0/1

no ip address

shutdown

clock rate 2000000

!

interface FastEthernet0/1/0

no ip address

!

interface FastEthernet0/1/1

no ip address

!

interface FastEthernet0/1/2

no ip address

!

interface FastEthernet0/1/3

no ip address

!

interface Vlan1

ip address 10.100.118.238 255.255.255.252

!

router ospf 100

network 10.100.118.236 0.0.0.3 area 0

network 172.29.1.0 0.0.0.255 area 0

!

router bgp 65000

bgp log-neighbor-changes

network 10.188.188.1 mask 255.255.255.255

neighbor 10.100.118.226 remote-as 65001

neighbor 10.100.118.226 shutdown

neighbor 10.100.118.226 ebgp-multihop 4

neighbor 10.100.118.226 update-source Vlan1

neighbor 10.100.118.226 prefix-list BGP_UIH out

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.200.2

ip route 10.3.56.0 255.255.255.0 172.29.1.1

ip route 172.15.1.0 255.255.255.0 172.29.1.1

ip route 172.17.1.0 255.255.255.0 172.29.1.1

ip route 172.20.1.0 255.255.255.0 172.29.1.254

ip route 172.20.10.0 255.255.255.0 172.29.1.254

ip route 172.21.10.0 255.255.255.0 172.29.1.254

ip route 172.21.20.0 255.255.255.0 172.29.1.254

ip route 172.27.1.16 255.255.255.252 172.29.1.1

ip route 172.31.200.0 255.255.255.0 172.29.1.254

ip route 172.32.100.0 255.255.255.0 172.29.1.1

!

ip access-list extended test

permit ip any any

!

ip prefix-list BGP_UIH seq 5 permit 10.188.188.1/32

ip sla responder

access-list 7 permit any

access-list 90 permit 10.188.188.1

access-list 99 permit 172.20.1.0 0.0.0.255

access-list 100 permit ip any any

access-list 199 permit ip 172.20.1.0 0.0.0.255 192.168.103.0 0.0.0.255

!

arp 172.29.1.254 0c85.25fa.2145 ARPA

route-map AAAA permit 10

match ip address 99

!

route-map AAAA deny 15

!

route-map test permit 10

match ip address 199

set interface Tunnel0

!

route-map test permit 20

!

control-plane

!

line con 0

privilege level 15

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input all

!

scheduler allocate 20000 1000

!

end

I ping from the xxx router that I applied access-list.

Thanks

WIT

cadet alain · ‎06-04-2012

Hi,

can you do this:

debug interface g0/0

debug ip pack detail 198

debug arp

conf t

access-list 198 permit icmp any any

logging buffered debug

logging buffered 100000

logging console 6

do clear access-list counters

do clear arp

do ping 172.129.1.2 rep 1

do sh arp

do sh log

do sh access-list 100

and post outputs from the 3 show commands.

Regards.

Alain

Don't forget to rate helpful posts.

horboyz123 · ‎06-04-2012

Hi Alain,

Please see result below.

xxx(config)#do sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.100.118.237 0 0010.dbec.4226 ARPA Vlan1

Internet 10.100.118.238 - 2894.0f2a.fd63 ARPA Vlan1

Internet 172.29.1.1 0 c89c.1dd1.4681 ARPA GigabitEthernet0/0

Internet 172.29.1.2 - 2894.0f2a.fd60 ARPA GigabitEthernet0/0

Internet 172.29.1.254 - 0c85.25fa.2145 ARPA

Internet 192.168.200.1 - 2894.0f2a.fd61 ARPA GigabitEthernet0/1

Internet 192.168.200.2 0 0050.7fcc.8ce4 ARPA GigabitEthernet0/1

xxx(config)#do sh log

Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level informational, 180 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 40 messages logged, xml disabled,

filtering disabled

Exception Logging: size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 183 message lines logged

Logging Source-Interface: VRF Name:

Log Buffer (100000 bytes):

Jun 4 10:32:19.430: ARP: flushing ARP entries for all interfaces

Jun 4 10:32:19.430: IP ARP: sent rep src 172.29.1.2 2894.0f2a.fd60,

dst 172.29.1.2 ffff.ffff.ffff GigabitEthernet0/0

Jun 4 10:32:19.430: IP ARP: sent rep src 192.168.200.1 2894.0f2a.fd61,

dst 192.168.200.1 ffff.ffff.ffff GigabitEthernet0/1

Jun 4 10:32:19.430: IP ARP: sent rep src 10.100.118.238 2894.0f2a.fd63,

dst 10.100.118.238 ffff.ffff.ffff Vlan1

Jun 4 10:32:19.430: IP ARP: sent req src 10.100.118.238 2894.0f2a.fd63,

dst 10.100.118.237 0010.dbec.4226 Vlan1

Jun 4 10:32:19.430: IP ARP: sent req src 192.168.200.1 2894.0f2a.fd61,

dst 192.168.200.2 0050.7fcc.8ce4 GigabitEthernet0/1

Jun 4 10:32:19.430: IP ARP: sent req src 172.29.1.2 2894.0f2a.fd60,

dst 172.29.1.1 c89c.1dd1.4681 GigabitEthernet0/0

Jun 4 10:32:19.430: IP ARP: rcvd rep src 192.168.200.2 0050.7fcc.8ce4, dst 192.168.200.1 GigabitEthernet0/1

Jun 4 10:32:19.430: IP ARP: rcvd rep src 172.29.1.1 c89c.1dd1.4681, dst 172.29.1.2 GigabitEthernet0/0

Jun 4 10:32:19.430: IP ARP: rcvd rep src 10.100.118.237 0010.dbec.4226, dst 10.100.118.238 Vlan1

Jun 4 10:32:19.758: IP: s=172.21.20.15, d=192.168.103.22, pak 29DC6254 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun 4 10:32:20.682: IP: s=172.21.20.15, d=192.168.103.22, pak 30483D10 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

xxx(config)#do sh access-list 100

Extended IP access list 100

10 permit ip any any

horboyz123 · ‎06-04-2012

Additionnal info.

I think I have to apply "ip access-group 198 in" on int gi0/0 and show access-list 198.

xxx#sho access-lists 198

Extended IP access list 198

10 permit icmp any any

I found log below.

Jun 4 10:35:05.374: IP: s=172.29.1.2, d=172.29.1.2, pak 29DB86D4 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun 4 10:35:07.374: IP: s=172.29.1.2, d=172.29.1.2, pak 3141F3E4 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun 4 10:35:07.374: IP: s=172.29.1.2, d=172.29.1.2, pak 299A23C4 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun 4 10:35:09.374: IP: s=172.29.1.2, d=172.29.1.2, pak 28EE99C8 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun 4 10:35:11.374: IP: s=172.29.1.2, d=172.29.1.2, pak 30483D10 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

I'm not sure, is it the problem that extended access-list is not work ?

horboyz123 · ‎06-04-2012

Hi Sandeep,

I tried to apply your configure again, it's still not work.

Thanks

WIT

Sandeep Choudhary · ‎06-04-2012

hi please correct your config :

ip access-list extended test

permit ip any any

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 100 in------------>>>>>>>put this>>>>>--(ip access-list extended test in)

ip flow ingress

duplex auto

speed auto

your extended access-list anme and where you are applying(To the interface) this list, the name should be same.

correct your config and try: it will work 100%.

I am attaching the whole new config for u:

please check...what is the changes:

Regards

Sandeep

horboyz123 · ‎06-04-2012

Dear Sandeep,

I tried to apply below configure (As your suggest). It's sitll not work

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group test in

ip flow ingress

duplex auto

speed auto

ip access-list extended test

permit ip any any

xxx#ping 172.29.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.29.1.1, timeout is 2 seconds:

.....

Thanks,

WIT

Tagir Temirgaliyev · ‎06-04-2012

Hi

write here

sh ip route

sh interface GigabitEthernet0/0

xxx#ping 172.29.1.2

xxx#ping 172.29.1.1

horboyz123 · ‎06-04-2012

Hello,

Please see result below.

xxx#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 192.168.200.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.200.2

10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks

S 10.3.56.0/24 [1/0] via 172.29.1.1

O E2 10.100.118.224/30 [110/0] via 10.100.118.237, 2d23h, Vlan1

O E2 10.100.118.228/30 [110/0] via 10.100.118.237, 7w0d, Vlan1

C 10.100.118.236/30 is directly connected, Vlan1

L 10.100.118.238/32 is directly connected, Vlan1

O E2 10.100.118.240/30 [110/0] via 10.100.118.237, 1w1d, Vlan1

C 10.188.188.0/30 is directly connected, Tunnel0

L 10.188.188.1/32 is directly connected, Tunnel0

172.15.0.0/24 is subnetted, 1 subnets

S 172.15.1.0 [1/0] via 172.29.1.1

172.17.0.0/24 is subnetted, 1 subnets

S 172.17.1.0 [1/0] via 172.29.1.1

172.20.0.0/24 is subnetted, 2 subnets

S 172.20.1.0 [1/0] via 172.29.1.254

S 172.20.10.0 [1/0] via 172.29.1.254

172.21.0.0/24 is subnetted, 2 subnets

S 172.21.10.0 [1/0] via 172.29.1.254

S 172.21.20.0 [1/0] via 172.29.1.254

172.27.0.0/30 is subnetted, 1 subnets

S 172.27.1.16 [1/0] via 172.29.1.1

172.29.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.29.1.0/24 is directly connected, GigabitEthernet0/0

L 172.29.1.2/32 is directly connected, GigabitEthernet0/0

172.31.0.0/24 is subnetted, 1 subnets

S 172.31.200.0 [1/0] via 172.29.1.254

172.32.0.0/24 is subnetted, 1 subnets

S 172.32.100.0 [1/0] via 172.29.1.1

192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.200.0/24 is directly connected, GigabitEthernet0/1

L 192.168.200.1/32 is directly connected, GigabitEthernet0/1

xxx#sh interface GigabitEthernet0/0

GigabitEthernet0/0 is up, line protocol is up

Hardware is CN Gigabit Ethernet, address is 2894.0f2a.fd60 (bia 2894.0f2a.fd60)

Internet address is 172.29.1.2/24

MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 255/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full Duplex, 1Gbps, media type is RJ45

output flow-control is unsupported, input flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:05, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 21000 bits/sec, 9 packets/sec

5 minute output rate 26000 bits/sec, 8 packets/sec

96062788 packets input, 2446708931 bytes, 0 no buffer

Received 267781 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 267711 multicast, 0 pause input

89102613 packets output, 2350737648 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

178466 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

1 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

xxx#ping 172.29.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.29.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

xxx#ping 172.29.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.29.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Thanks,

WIT