cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


956
Views
0
Helpful
10
Replies
Highlighted
Participant

SGE2010P ACL

When I try to apply an ACL to a port on my SGE2010P, I get the following error:

Can't bind acl/policy-map to an interface when the security suite is enabled in a per-port mode

I don't see an option where I can set the security suite mode.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi Fratiani, I have identified the issue within the configuration.

security-suite enable command will not permit binding an acl to an interface, conversely, if an acl is bound to an interface, you may not use security-suite enable command.

This is directly related to

security-suite enable

security-suite dos protect add stacheldraht

securite-suite dos protect add invasor-trojan

security-suite add back-orifice-trojan

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

10 REPLIES 10
Highlighted
Advocate

Hi Fratiani, I've been trying to recreate the error with all Securty Suite options, I'm not able to. I've essentially enabled every security option on this switch and tested binding ACLs to the ports affected.

If you can do one of two things either-

1.) Factory reset the switch, create the ACL and bind it to the port

or

2.) Email me a telephone number so we can share a webex and take a look at your switch together

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Highlighted

Hmmm, I figured I was just missing something simple.

Would you like my running config to see if you can recreate?

Otherwise, I'll see if I can find some time to reset the switch but I have a lot of stuff config'd.

Highlighted

Sure, email me the config. I'll dig through it this evening.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Highlighted

Hi Fratiani, I have identified the issue within the configuration.

security-suite enable command will not permit binding an acl to an interface, conversely, if an acl is bound to an interface, you may not use security-suite enable command.

This is directly related to

security-suite enable

security-suite dos protect add stacheldraht

securite-suite dos protect add invasor-trojan

security-suite add back-orifice-trojan

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Highlighted

Thanks for the help.

I just turned off the security suite since I believe they are just ACLs anyway.

Now,

I was hoping someone could help me with an ACL now.

It seems that it is blocking all traffic whenever I apply it to the port.

Even traffic not on the 192.168.1.0 network.

Objective: create guest ACL.

Allow DNS,DHCP,Web to server from 192.168.1.0 network

Disallow all other internal access from 192.168.1.0 network.

Allow internet access.

    permit  tcp 192.168.1.0 0.0.0.255 53 host 192.168.2.10 53

    permit  udp 192.168.1.0 0.0.0.255 53 host 192.168.2.10 53

    permit  tcp 192.168.1.0 0.0.0.255 67 host 192.168.2.10 67

    permit  udp 192.168.1.0 0.0.0.255 67 host 192.168.2.10 67

    permit  tcp 192.168.1.0 0.0.0.255 68 host 192.168.2.10 68

    permit  udp 192.168.1.0 0.0.0.255 68 host 192.168.2.10 68

    permit  tcp 192.168.1.0 0.0.0.255 any host 192.168.2.10 80

    permit  tcp 192.168.1.0 0.0.0.255 any host 192.168.2.10 443

    deny    ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

    deny    ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

    deny    ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

    permit  ip any any

Highlighted

Fratiani, try to allow an additional permit such as

permit tcp host 192.168.2.10 53 192.168.1.0.0 0.0.0.255 53

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Highlighted

So you're saying try to put in reverse statements...

I would but my problem is even before that: it blocks traffic not on the 192.168.1.0 network.

I have a machine on the 192.168.0.0 & 192.168.2.0 network and this ACL, once applied, will block traffic from those machines to the device behind the ACL.

Every deny statement specifies specifically the 192.168.1.0 network as the source.

Why would it block traffic not from that network?

Highlighted

The ACL works ingress only. The traffic may permit 1 direction but may not permit coming back.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Highlighted

Before I start making any changes I just want to see one thing.

I may be off my rocker but lemme see here...

Take for instance:

My orig ACL is applied on Port 20

192.168.0.250 is trunked on Port 20

Passes traffic for:

192.168.0.0 (Native VLAN)

192.168.1.0 (VLAN 2)

192.168.2.0 (VLAN 3)

Ping 192.168.0.250 from 192.168.2.50 = Blocked

Send: 192.168.2.50 ---> 192.168.0.250

Reply: 192.168.0.250 ---> 192.168.2.50

In this case, the source is NEVER the 192.168.1.0 network.

It should NEVER match any of the entries except the last permit any any.

Traffic is blocked though.

I may be way off base but this is the way I see it.

Highlighted

Please post a topology showing how things interconnect where and the config file (censor anything sensitive)

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/