Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
3
Replies

Need help with ACL src/dest problem

Jeff Ferrell
Level 1
Level 1

‎09-06-2018 08:49 AM - edited ‎02-21-2020 08:12 AM

I have a working ACL. It is applied inbound on the switch port with a server attached. However, the logic is confusing me, as if I switch src/dest around, it no longer works.

 

Setup:

3650 Switch, server on port g1/0/7. Switch trunked to a pair of 9k's in VPC mode

NTP server is 10.0.0.2

NTP client is 192.168.2.1

192.168.1.0 is a management network

ACL applied as so: ip access-group NTP_Working in on g1/0/7

 

 

ACL working:

ip access-list extended NTP_Working
permit udp host 10.0.0.2 eq ntp host 192.168.2.1
permit tcp host 10.0.0.2 eq www 192.168.1.0 0.0.0.255
permit tcp host 10.0.0.2 eq 443 192.168.1.0 0.0.0.255
permit icmp host 10.0.0.2 192.168.1.0 0.0.0.255 echo-reply

 

ACL Not working (just flipped source/dest):

ip access-list extended NTP_Not_Working
permit udp host 192.168.2.1 eq ntp host 192.168.2.1
permit tcp 192.168.1.0 0.0.0.255 eq www host 10.0.0.2
permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.2 eq 443
permit icmp 192.168.1.0 0.0.0.255 host 10.0.0.2 echo-reply

 

All my logic is allow xx from source to destination. But taht is not working here.

0 Helpful
3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

‎09-06-2018 10:13 AM

you are definitely using it correct in source/destination order of ACE:

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/security/configuration_guide/b_sec_3se_3650_cg/b_sec_3se_3650_cg_chapter_01010.html#concept_339DA61A054C4243B014617049EF5C09

 

is it just NTP that beaks or all the other traffic in the ACL as well?

 

 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Jeff Ferrell
Level 1
Level 1
In response to Dennis Mink

‎09-06-2018 10:27 AM

All traffic listed breaks, ie: www access and pings. 

 

Which ACL do you say looks good, the one labeled working or not working?

 

Thanks!

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎09-06-2018 10:14 AM

you are definitley using it correct in source/destination in your ACE's:

 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/3se/security/configuration_guide/b_sec_3se_3650_cg/b_sec_3se_3650_cg_chapter_01010.html#concept_339DA61A054C4243B014617049EF5C09

 

is it just NTP thta breaks or other traffic in the ACL as well?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card