Port based ACL is not working in cisco 3650

bankan19791 · ‎11-17-2015

Hi,

We are using CISCO 3650 as our core switch in our network. We have two cache server. Server-1 is using for process all TCP & UDP ports except some. Server-2 is using for process only HTTP requests . For this we have created ACL & route-map & applying it to their respective interfaces. Below are the configuration:

ip access-list extended SERVER1-LAN
permit tcp any any gt 1024
permit udp any any range 60 499
permit udp any any range 501 9999
permit udp any any range 10001 65535

ip access-list extended SERVER1-WAN
permit tcp any gt 1024 any
permit udp any range 60 499 any
permit udp any range 501 9999 any
permit udp any range 10001 65635 any

ip access-list extended SERVER2-LAN
permit tcp any any eq www

ip access-list extended SERVER2-WAN
permit tcp any eq www any

route-map CACHE-LAN permit 10
match ip address SERVER1-LAN
set ip next-hop 192.168.100.2
!
route-map CACHE-LAN permit 15
match ip address SERVER2-LAN
set ip next-hop 10.10.10.2
!

route-map CACHE-WAN permit 10
match ip address SERVER1-WAN
set ip next-hop 192.168.100.2

!
route-map CACHE-WAN permit 15
match ip address SERVER2-WAN
set ip next-hop 10.10.10.2

interface TenGigabitEthernet1/1/1
description ISP INPUT
no switchport
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip access-group MAIN in
ip policy route-map CACHE-WAN
no cdp enable

interface TenGigabitEthernet1/1/2
description SERVER-1
no switchport
ip address 192.168.100.1 255.255.255.252

ip policy route-map CACHE-LAN

no cdp enable

interface GigabitEthernet1/0/38
description SERVER-2
no switchport
ip address 10.10.10.1 255.255.255.252

ip policy route-map CACHE-LAN
no cdp enable

In the above ACL we have excluded TCP port 1-1023 & UDP port 1-59,500,4500, & 10000. After applying route-map we are getting requests from all TCP & UDP port at SERVER-1. I mean to say excluded port i.e.1-1023 & UDP port 1-59,500,4500, & 10000 also . Where as in SERVER-2 we are getting only HTTP[port-80] requests. It means SERVER-2 ACL is working as wexpected but SERVER-1 is not working properly. I have checked the same in cisco 3550,3750 also. But the result is same. Is there any idea why its not working for port range. My server vendor suggests me to contact with cisco. But I want to discuss it with you before contacting with cisco.

Regards,

A

Masoud Pourshabanian · ‎11-18-2015

Hello,

interface TenGigabitEthernet1/1/1 is you WAN interface?

What is the purpose of implemention of cache on WAN interface? Remove your route-map on your WAN interface to see if you see any different result.

What do you expect to be cached on other port that HTTP? Does the cache server support that?

Masoud

bankan19791 · ‎11-19-2015

Hi Masoud,

I am not talking about cache. All cache servers are working as expected. If you look into my ACL, you can see that I have excluded some TCP & UDP ports. But still I can see traffic from those ports when we dump packets in my cache server,which should not be happen. That's why I want to know why the traffic comes from those ports into my cache server as, the ports are already excluded in ACL. I have tried with IP based ACL & "neq" option also but result is same.

Please suggest if you have any idea.

Regards,

A

Masoud Pourshabanian · ‎11-19-2015

Hello,

Lets do some chenges and see the result, then we will check the access-lists.

interface TenGigabitEthernet1/1/1
description ISP INPUT
no switchport
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip access-group MAIN in
ip policy route-map CACHE-WAN [ this line is not necessary. The reason is the return traffic will automatically goes back to cache so you do not need to set PBR for return traffic]

interface TenGigabitEthernet1/1/2
description SERVER-1
no switchport
ip address 192.168.100.1 255.255.255.252

ip policy route-map CACHE-LAN [ This PBR in the wrong place. You need to put the PBR on interfaces toward the LAN, not on interface toward your server]

interface GigabitEthernet1/0/38
description SERVER-2
no switchport
ip address 10.10.10.1 255.255.255.252

ip policy route-map CACHE-LAN [This is in the wrong place. You need to put the PBR on interfaces toward the LAN, not on interface toward your server]

Please correct those and get back with the result. We will discuss about access-lists later.

Masoud

bankan19791 · ‎11-21-2015

Hi Masoud,

Thanks for your quick reply & very sorry for, posted wrong config. Actually the "ip policy route-map CACHE-LAN" is applied on my LAN interfaces. I have tested with removing "ip policy route-map CACHE-WAN" from WAN port but the result is same. Another thing I want to know from you that, without PBR applied how return traffic goes back to the cache?

Can you please give some idea about access-list so I can try it in my network.

Regards,

A

Masoud Pourshabanian · ‎11-21-2015

Hello,

Cache servers are usualy proxy servers. A proxy server is basically a program that accepts requests from clients for URLs, fetches them on behalf of the client, and returns the results to the client.

1- It is very important. Try to check all the names you used. You will have unexpected result if the names are inconsistent. You will not receive any error if names are not match. (ACL used in route-map and route-map used under the inteface.

2- Cache servers usually work with http and https and file transfer protocols. check this with the provider of cache to see it works with all ports you specified.

Try several other options.

3- Add a deny statement at the end of your access-list and use show access-list SERVER1-LAN and also route-map to see if you have any hit.

ip access-list extended SERVER1-LAN
permit tcp any any gt 1024
permit udp any any range 60 499
permit udp any any range 501 9999
permit udp any any range 10001 65535

deny ip any any log

4- Try to use only some ports( ports used most often in you network) in you access-list if you think using range causing your problem and check the result.

Ip access-list extended SERVER1-LAN
permit tcp any any 443
permit tcp any any 20

permit tcp any any 21

deny ip any any log

Please get back with the result so that we can go forward.

Masoud

Andre Neethling · ‎11-21-2015

Hi. ACLs in route maps are used to match traffic. So you still may see some traffic if it is routed to the servers. The route map will not permit or deny traffic. That could be the reason why you still see the other traffic at server 1.