Solved: IP route over-riding access list

DavidGIP · ‎08-08-2023

Hello.

We have a company manages DHCP for us, as well as monitoring our outside customer ONTs and modems. We currently have a tunnel with them through our Core Cisco 6500 switch. They have inquired about integrating their program with Adtran AOE program, which currently resides in our data center. We have no problem with this, but the simple issue is that while they can ping across the tunnel, they cannot ping our AOE server. Reason why is because we locked down access to the data center in our

6500 via ip access lists

Is there a way to allow access to that particular IP while keeping our data center locked down for everyone else?

Giuseppe Larosa · ‎08-08-2023

Hello @DavidGIP ,

>> Is there a way to allow access to that particular IP while keeping our data center locked down for everyone else?

Yes, if you are using extended ACLs you need to add a statement a line that allows the specified host to access the subnet block where the server is.

Depending on how the ACLs are implemented you may need to modify two ACLs one per direction.

example: ( lines to be added to existing ACL 110)

access-list 110 remark allow host from partner

access-list 110 permit ip host A.B.C.D  10.10.0.0 0.0.255.255

Edit:

Depending on the data center design changes to the routing may be needed to make the return traffic to go back to your Catalyst 6500 instead of going out to the internet .

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎08-08-2023

Hello @DavidGIP ,

>> Is there a way to allow access to that particular IP while keeping our data center locked down for everyone else?

Yes, if you are using extended ACLs you need to add a statement a line that allows the specified host to access the subnet block where the server is.

Depending on how the ACLs are implemented you may need to modify two ACLs one per direction.

example: ( lines to be added to existing ACL 110)

access-list 110 remark allow host from partner

access-list 110 permit ip host A.B.C.D  10.10.0.0 0.0.255.255

Edit:

Depending on the data center design changes to the routing may be needed to make the return traffic to go back to your Catalyst 6500 instead of going out to the internet .

Hope to help

Giuseppe

DavidGIP · ‎09-05-2023

Sorry for the late response. This was correct. I just had to has to add the

permit ip host A.B.C.D  10.10.0.0 0.0.255.255" into the ip access-list

Once I added it correctly, it allowed traffic to go through.

Thank you for the help!

Giuseppe Larosa · ‎09-05-2023

Hello @DavidGIP ,

nice to read it worked

Best Regards

Giuseppe

DavidGIP · ‎08-09-2023

Thank you for the information. I realized afterwards that I gave the wrong information. It is not an

access-list

but an IP

access list

that is locking down our data center:

ip access-list standard datacenterlockdown
deny 10.a.a.a 0.0.0.255
permit 10.b.b.b 0.0.0.255
permit 10.c.c.c 0.0.0.3
permit 10.1.d.d 0.0.0.255 <--- this is the particular ip block in question
permit 10.e.e.e 0.0.0.15
permit 10.f.f.f 0.0.0.7
permit 10.g.g.g 0.0.0.255

Richard Burts · ‎08-09-2023

Perhaps we need a better understanding of the environment. The

access list

you post seems to permit the traffic in question. If it is not working then probably there is something else in the environment that is preventing access.

Why are you using

a.a.a, b.b.b

etc? It is in private network 10 so why try to disguise those octets?

HTH

Rick

Giuseppe Larosa · ‎08-09-2023

Hello @DavidGIP ,

you have a named standard IP ACL and you say:

permit 10.1.d.d 0.0.0.255

<--- this is the particular ip block in question

A standard ACL matches on source IP addresses only regardless if is applied to an interface in inbound or outbound direction.

So as noted also by @Richard Burts how is your ACL applied to your C6500 ?

It is applied to an interface towards the datacenter in inbound direction ?

Or it is used for route filtering in a redistribution ?

Are able from the datacenter to send traffic back to the IP address of the SW partner or the return path is missing ?

Hope to help

Giuseppe