cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6783
Views
0
Helpful
20
Replies

Extended ACL not work on cisco 1941

horboyz123
Level 1
Level 1

I apply extended ACL on my router cisco 1941, but it didn't work. So I tried to apply standard ACL, it's work. I'm not sure about my cisco 1941 IOS is support extended ACL. My cisco IOS is

Cisco CISCO1941/K9

c1900-universalk9-mz.SPA.151-4.M1.bin

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot

------------------------------------------------------------------

ipbase        ipbasek9      Permanent      ipbasek9

security      None          None           None

data          None          None           None

Below is extended and standard ACL that I use to test apply on cisco 1941 gigabit ethernet interface

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 7 in

ip flow ingress

duplex auto

speed auto

access-list 7 permit any

Result: All traffic can pass this interface

Standard IP access list 7

    10 permit any (688 matches)

----------------------------

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 100 in

ip flow ingress

duplex auto

speed auto

access-list 100 permit ip any any

Result: All traffic never pass this interface

Extended IP access list 100

    10 permit ip any any

--------------------------

How can I solve this problem ?? Is it IOS bug or limit feature on hardware.

1 Accepted Solution

Accepted Solutions

This certainly seems to be buggy behavior. Access list 100 applied on the interface with ip access-group 100 in should work and the ping should be successful. I am surprised that it is not working. I do have a few suggestions:

- if this router is covered by a maintenance agreement  then opening a case with Cisco TAC would be a good thing to do.

- I wonder if some other access list number might work. If you tried, for example access-list 150 permit ip any any and apply it to the interface does it make any difference.

- c1900-universalk9-mz.SPA.151-4.M1.bin has been improved and updated. Can you try c1900-universalk9-mz.SPA.151-4.M4.bin and see if it works better?

HTH

Rick

HTH

Rick

View solution in original post

20 Replies 20

Richard Burts
Hall of Fame
Hall of Fame

I am not clear what the issue here is. But I know that 1941 routers with the IPBase license should support extended access lists on the Gig0/0 interface.

Please re-configure the interface with the extended access list. Then attempt to send some traffic. Then do these commands and post the output:

show access-list

show ip interface Gig0/0

HTH

Rick

HTH

Rick

Hi Rick.

     I tried to do with your advice configure and send ping traffic to this interface, so extended access-list still not work. Please see result below.

Standard access-list result

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 7 in

ip flow ingress

duplex auto

speed auto

xxx#ping 172.29.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.29.1.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

xxx#sho access-lists 7

Standard IP access list 7

    10 permit any (203 matches)

xxxn#sho ip interface gigabitEthernet 0/0

GigabitEthernet0/0 is up, line protocol is up

  Internet address is 172.29.1.2/24

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Multicast reserved groups joined: 224.0.0.5 224.0.0.6

  Outgoing access list is not set

  Inbound  access list is 7

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: Ingress-NetFlow, Access List, MCI Check

  Output features: Post-Ingress-NetFlow

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

----------------------------

Extended Access-list result

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 100 in

ip flow ingress

duplex auto

speed auto

xxx#ping 172.29.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.29.1.2, timeout is 2 seconds:

.....

xxx#sho access-lists 100

Extended IP access list 100

    10 permit ip any any

xxx#sho ip int g0/0

GigabitEthernet0/0 is up, line protocol is up

  Internet address is 172.29.1.2/24

  Broadcast address is 255.255.255.255

  Address determined by non-volatile memory

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Multicast reserved groups joined: 224.0.0.5 224.0.0.6

  Outgoing access list is not set

  Inbound  access list is 100

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP fast switching on the same interface is disabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: Ingress-NetFlow, Access List, MCI Check

  Output features: Post-Ingress-NetFlow

  WCCP Redirect outbound is disabled

  WCCP Redirect inbound is disabled

  WCCP Redirect exclude is disabled

Thanks

WIT

can you try this one:

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 100 in

ip flow ingress

duplex auto

speed auto

Config this access list:

ip access-list extended 100

permit tcp any any

permit udp any any

permit tcp any any eq 22

permit icmp any any echo

permit icmp any any traceroute

If this help then please rate.

Regards

Hi Sandeep

I just tried your configure, it's still not work. The result was same as last configure.

Hi,

Could you post your sanitized running config and tell us from where you are trying this ping.

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

Below is my router configuration

Current configuration : 3444 bytes

!

! Last configuration change at 09:20:03 UTC Mon Jun 4 2012 by aaabbb

! NVRAM config last updated at 11:16:51 UTC Mon May 21 2012 by aaabbb

! NVRAM config last updated at 11:16:51 UTC Mon May 21 2012 by aaabbb

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxx

!

boot-start-marker

boot-end-marker

!

!

enable secret 5 $1$Oo.I$WOvVZ1MJWkDqAXupZioCQ/

!

aaa new-model

!

!

aaa authentication enable default group radius

!

!

!

!

!

aaa session-id common

!

no ipv6 cef

!

!

!

!

!

ip cef

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO1941/K9 sn FGL160226BE

!

!

username aaabbb privilege 15 secret 5 $1$JRTo$mAU1yOzNFMH7jONZAMs/r0

!

!

!

!

!

!

interface Tunnel0

ip address 10.188.188.1 255.255.255.252

keepalive 10 3

tunnel source 10.100.118.238

tunnel destination 10.100.118.226

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 100 in

ip flow ingress

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.200.1 255.255.255.0

ip flow ingress

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

clock rate 2000000

!

interface Serial0/0/1

no ip address

shutdown

clock rate 2000000

!

interface FastEthernet0/1/0

no ip address

!

interface FastEthernet0/1/1

no ip address

!

interface FastEthernet0/1/2

no ip address

!

interface FastEthernet0/1/3

no ip address

!

interface Vlan1

ip address 10.100.118.238 255.255.255.252

!

router ospf 100

network 10.100.118.236 0.0.0.3 area 0

network 172.29.1.0 0.0.0.255 area 0

!

router bgp 65000

bgp log-neighbor-changes

network 10.188.188.1 mask 255.255.255.255

neighbor 10.100.118.226 remote-as 65001

neighbor 10.100.118.226 shutdown

neighbor 10.100.118.226 ebgp-multihop 4

neighbor 10.100.118.226 update-source Vlan1

neighbor 10.100.118.226 prefix-list BGP_UIH out

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.200.2

ip route 10.3.56.0 255.255.255.0 172.29.1.1

ip route 172.15.1.0 255.255.255.0 172.29.1.1

ip route 172.17.1.0 255.255.255.0 172.29.1.1

ip route 172.20.1.0 255.255.255.0 172.29.1.254

ip route 172.20.10.0 255.255.255.0 172.29.1.254

ip route 172.21.10.0 255.255.255.0 172.29.1.254

ip route 172.21.20.0 255.255.255.0 172.29.1.254

ip route 172.27.1.16 255.255.255.252 172.29.1.1

ip route 172.31.200.0 255.255.255.0 172.29.1.254

ip route 172.32.100.0 255.255.255.0 172.29.1.1

!

ip access-list extended test

permit ip any any

!

!

ip prefix-list BGP_UIH seq 5 permit 10.188.188.1/32

ip sla responder

access-list 7 permit any

access-list 90 permit 10.188.188.1

access-list 99 permit 172.20.1.0 0.0.0.255

access-list 100 permit ip any any

access-list 199 permit ip 172.20.1.0 0.0.0.255 192.168.103.0 0.0.0.255

!

arp 172.29.1.254 0c85.25fa.2145 ARPA

route-map AAAA permit 10

match ip address 99

!

route-map AAAA deny 15

!

route-map test permit 10

match ip address 199

set interface Tunnel0

!

route-map test permit 20

!

!

!

!

!

control-plane

!

!

!

line con 0

privilege level 15

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input all

!

scheduler allocate 20000 1000

!

end

I ping from the xxx router that I applied access-list.

Thanks

WIT

Hi,

can you do this:

debug interface g0/0

debug ip pack detail 198

debug arp

conf t

access-list 198 permit icmp any any

logging buffered debug

logging buffered 100000

logging console 6

do clear access-list counters

do clear arp

do ping 172.129.1.2 rep 1

do sh arp

do sh log

do sh access-list 100

and post outputs from the 3 show commands.

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

Please see result below.

xxx(config)#do sh arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.100.118.237          0   0010.dbec.4226  ARPA   Vlan1

Internet  10.100.118.238          -   2894.0f2a.fd63  ARPA   Vlan1

Internet  172.29.1.1              0   c89c.1dd1.4681  ARPA   GigabitEthernet0/0

Internet  172.29.1.2              -   2894.0f2a.fd60  ARPA   GigabitEthernet0/0

Internet  172.29.1.254            -   0c85.25fa.2145  ARPA

Internet  192.168.200.1           -   2894.0f2a.fd61  ARPA   GigabitEthernet0/1

Internet  192.168.200.2           0   0050.7fcc.8ce4  ARPA   GigabitEthernet0/1

xxx(config)#do sh log

Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

    Console logging: level informational, 180 messages logged, xml disabled,

                     filtering disabled

    Monitor logging: level debugging, 0 messages logged, xml disabled,

                     filtering disabled

    Buffer logging:  level debugging, 40 messages logged, xml disabled,

                    filtering disabled

    Exception Logging: size (4096 bytes)

    Count and timestamp logging messages: disabled

    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 183 message lines logged

        Logging Source-Interface:       VRF Name:

Log Buffer (100000 bytes):

Jun  4 10:32:19.430: ARP: flushing ARP entries for all interfaces

Jun  4 10:32:19.430: IP ARP: sent rep src 172.29.1.2 2894.0f2a.fd60,

                 dst 172.29.1.2 ffff.ffff.ffff GigabitEthernet0/0

Jun  4 10:32:19.430: IP ARP: sent rep src 192.168.200.1 2894.0f2a.fd61,

                 dst 192.168.200.1 ffff.ffff.ffff GigabitEthernet0/1

Jun  4 10:32:19.430: IP ARP: sent rep src 10.100.118.238 2894.0f2a.fd63,

                 dst 10.100.118.238 ffff.ffff.ffff Vlan1

Jun  4 10:32:19.430: IP ARP: sent req src 10.100.118.238 2894.0f2a.fd63,

                 dst 10.100.118.237 0010.dbec.4226 Vlan1

Jun  4 10:32:19.430: IP ARP: sent req src 192.168.200.1 2894.0f2a.fd61,

                 dst 192.168.200.2 0050.7fcc.8ce4 GigabitEthernet0/1

Jun  4 10:32:19.430: IP ARP: sent req src 172.29.1.2 2894.0f2a.fd60,

                 dst 172.29.1.1 c89c.1dd1.4681 GigabitEthernet0/0

Jun  4 10:32:19.430: IP ARP: rcvd rep src 192.168.200.2 0050.7fcc.8ce4, dst 192.168.200.1 GigabitEthernet0/1

Jun  4 10:32:19.430: IP ARP: rcvd rep src 172.29.1.1 c89c.1dd1.4681, dst 172.29.1.2 GigabitEthernet0/0

Jun  4 10:32:19.430: IP ARP: rcvd rep src 10.100.118.237 0010.dbec.4226, dst 10.100.118.238 Vlan1

Jun  4 10:32:19.758:  IP: s=172.21.20.15, d=192.168.103.22, pak 29DC6254 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun  4 10:32:20.682:  IP: s=172.21.20.15, d=192.168.103.22, pak 30483D10 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

xxx(config)#do sh access-list 100

Extended IP access list 100

    10 permit ip any any

Additionnal info.

I think I have to apply "ip access-group 198 in" on int gi0/0 and show access-list 198.

xxx#sho access-lists 198

Extended IP access list 198

    10 permit icmp any any

I found log below.

Jun  4 10:35:05.374:  IP: s=172.29.1.2, d=172.29.1.2, pak 29DB86D4 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun  4 10:35:07.374:  IP: s=172.29.1.2, d=172.29.1.2, pak 3141F3E4 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun  4 10:35:07.374:  IP: s=172.29.1.2, d=172.29.1.2, pak 299A23C4 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun  4 10:35:09.374:  IP: s=172.29.1.2, d=172.29.1.2, pak 28EE99C8 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Jun  4 10:35:11.374:  IP: s=172.29.1.2, d=172.29.1.2, pak 30483D10 consumed in input feature , packet consumed, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

I'm not sure, is it the problem that extended access-list is not work ?

Hi Sandeep,

     I tried to apply your configure again, it's still not work.

Thanks

WIT

hi please correct your config  :

ip access-list extended test

permit ip any any

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group 100 in------------>>>>>>>put this>>>>>--(ip access-list extended test in)

ip flow ingress

duplex auto

speed auto

your extended access-list anme and where you are applying(To the interface) this list, the name should be same.

correct your config and try: it will work 100%.

I am attaching the whole new config for u:

please check...what is the changes:

Regards

Sandeep

Dear Sandeep,

I tried to apply below configure (As your suggest). It's sitll not work

interface GigabitEthernet0/0

ip address 172.29.1.2 255.255.255.0

ip access-group test in

ip flow ingress

duplex auto

speed auto

ip access-list extended test

permit ip any any

xxx#ping 172.29.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.29.1.1, timeout is 2 seconds:

.....

Thanks,

WIT

Hi

write here

sh ip route

sh interface GigabitEthernet0/0

xxx#ping 172.29.1.2

xxx#ping 172.29.1.1

Hello,

Please see result below.

xxx#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 192.168.200.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.200.2

      10.0.0.0/8 is variably subnetted, 8 subnets, 3 masks

S        10.3.56.0/24 [1/0] via 172.29.1.1

O E2     10.100.118.224/30 [110/0] via 10.100.118.237, 2d23h, Vlan1

O E2     10.100.118.228/30 [110/0] via 10.100.118.237, 7w0d, Vlan1

C        10.100.118.236/30 is directly connected, Vlan1

L        10.100.118.238/32 is directly connected, Vlan1

O E2     10.100.118.240/30 [110/0] via 10.100.118.237, 1w1d, Vlan1

C        10.188.188.0/30 is directly connected, Tunnel0

L        10.188.188.1/32 is directly connected, Tunnel0

      172.15.0.0/24 is subnetted, 1 subnets

S        172.15.1.0 [1/0] via 172.29.1.1

      172.17.0.0/24 is subnetted, 1 subnets

S        172.17.1.0 [1/0] via 172.29.1.1

      172.20.0.0/24 is subnetted, 2 subnets

S        172.20.1.0 [1/0] via 172.29.1.254

S        172.20.10.0 [1/0] via 172.29.1.254

      172.21.0.0/24 is subnetted, 2 subnets

S        172.21.10.0 [1/0] via 172.29.1.254

S        172.21.20.0 [1/0] via 172.29.1.254

      172.27.0.0/30 is subnetted, 1 subnets

S        172.27.1.16 [1/0] via 172.29.1.1

      172.29.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.29.1.0/24 is directly connected, GigabitEthernet0/0

L        172.29.1.2/32 is directly connected, GigabitEthernet0/0

      172.31.0.0/24 is subnetted, 1 subnets

S        172.31.200.0 [1/0] via 172.29.1.254

      172.32.0.0/24 is subnetted, 1 subnets

S        172.32.100.0 [1/0] via 172.29.1.1

      192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.200.0/24 is directly connected, GigabitEthernet0/1

L        192.168.200.1/32 is directly connected, GigabitEthernet0/1

xxx#sh interface GigabitEthernet0/0

GigabitEthernet0/0 is up, line protocol is up

  Hardware is CN Gigabit Ethernet, address is 2894.0f2a.fd60 (bia 2894.0f2a.fd60)

  Internet address is 172.29.1.2/24

  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

     reliability 255/255, txload 255/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full Duplex, 1Gbps, media type is RJ45

  output flow-control is unsupported, input flow-control is unsupported

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:00:05, output 00:00:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 21000 bits/sec, 9 packets/sec

  5 minute output rate 26000 bits/sec, 8 packets/sec

     96062788 packets input, 2446708931 bytes, 0 no buffer

     Received 267781 broadcasts (0 IP multicasts)

     0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog, 267711 multicast, 0 pause input

     89102613 packets output, 2350737648 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     178466 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     1 lost carrier, 0 no carrier, 0 pause output

     0 output buffer failures, 0 output buffers swapped out

xxx#ping 172.29.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.29.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

xxx#ping 172.29.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.29.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Thanks,

WIT

Review Cisco Networking for a $25 gift card