Solved: SGE2010P ACL

DJX995 · ‎11-16-2012

When I try to apply an ACL to a port on my SGE2010P, I get the following error:

Can't bind acl/policy-map to an interface when the security suite is enabled in a per-port mode

I don't see an option where I can set the security suite mode.

Tom Watts · ‎11-16-2012

Hi Fratiani, I have identified the issue within the configuration.

security-suite enable command will not permit binding an acl to an interface, conversely, if an acl is bound to an interface, you may not use security-suite enable command.

This is directly related to

security-suite enable

security-suite dos protect add stacheldraht

securite-suite dos protect add invasor-trojan

security-suite add back-orifice-trojan

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Tom Watts · ‎11-16-2012

Hi Fratiani, I've been trying to recreate the error with all Securty Suite options, I'm not able to. I've essentially enabled every security option on this switch and tested binding ACLs to the ports affected.

If you can do one of two things either-

1.) Factory reset the switch, create the ACL and bind it to the port

or

2.) Email me a telephone number so we can share a webex and take a look at your switch together

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

DJX995 · ‎11-16-2012

Hmmm, I figured I was just missing something simple.

Would you like my running config to see if you can recreate?

Otherwise, I'll see if I can find some time to reset the switch but I have a lot of stuff config'd.

Tom Watts · ‎11-16-2012

Sure, email me the config. I'll dig through it this evening.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Tom Watts · ‎11-16-2012

Hi Fratiani, I have identified the issue within the configuration.

security-suite enable command will not permit binding an acl to an interface, conversely, if an acl is bound to an interface, you may not use security-suite enable command.

This is directly related to

security-suite enable

security-suite dos protect add stacheldraht

securite-suite dos protect add invasor-trojan

security-suite add back-orifice-trojan

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

DJX995 · ‎11-26-2012

Thanks for the help.

I just turned off the security suite since I believe they are just ACLs anyway.

Now,

I was hoping someone could help me with an ACL now.

It seems that it is blocking all traffic whenever I apply it to the port.

Even traffic not on the 192.168.1.0 network.

Objective: create guest ACL.

Allow DNS,DHCP,Web to server from 192.168.1.0 network

Disallow all other internal access from 192.168.1.0 network.

Allow internet access.

permit tcp 192.168.1.0 0.0.0.255 53 host 192.168.2.10 53

permit udp 192.168.1.0 0.0.0.255 53 host 192.168.2.10 53

permit tcp 192.168.1.0 0.0.0.255 67 host 192.168.2.10 67

permit udp 192.168.1.0 0.0.0.255 67 host 192.168.2.10 67

permit tcp 192.168.1.0 0.0.0.255 68 host 192.168.2.10 68

permit udp 192.168.1.0 0.0.0.255 68 host 192.168.2.10 68

permit tcp 192.168.1.0 0.0.0.255 any host 192.168.2.10 80

permit tcp 192.168.1.0 0.0.0.255 any host 192.168.2.10 443

deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip any any

Tom Watts · ‎11-26-2012

Fratiani, try to allow an additional permit such as

permit tcp host 192.168.2.10 53 192.168.1.0.0 0.0.0.255 53

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

DJX995 · ‎11-27-2012

So you're saying try to put in reverse statements...

I would but my problem is even before that: it blocks traffic not on the 192.168.1.0 network.

I have a machine on the 192.168.0.0 & 192.168.2.0 network and this ACL, once applied, will block traffic from those machines to the device behind the ACL.

Every deny statement specifies specifically the 192.168.1.0 network as the source.

Why would it block traffic not from that network?

Tom Watts · ‎11-27-2012

The ACL works ingress only. The traffic may permit 1 direction but may not permit coming back.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

DJX995 · ‎11-27-2012

Before I start making any changes I just want to see one thing.

I may be off my rocker but lemme see here...

Take for instance:

My orig ACL is applied on Port 20

192.168.0.250 is trunked on Port 20

Passes traffic for:

192.168.0.0 (Native VLAN)

192.168.1.0 (VLAN 2)

192.168.2.0 (VLAN 3)

Ping 192.168.0.250 from 192.168.2.50 = Blocked

Send: 192.168.2.50 ---> 192.168.0.250

Reply: 192.168.0.250 ---> 192.168.2.50

In this case, the source is NEVER the 192.168.1.0 network.

It should NEVER match any of the entries except the last permit any any.

Traffic is blocked though.

I may be way off base but this is the way I see it.

Tom Watts · ‎11-27-2012

Please post a topology showing how things interconnect where and the config file (censor anything sensitive)

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

SGE2010P ACL

Cisco Business Product Family

Cisco Switching Product Family