Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
3
Replies

IPv4 port range ACL blocked by IPv6 ACL

Peter __
Level 1
Level 1

‎03-02-2021 12:17 PM

Have a Cisco SG350-10 10 on 2.5.5.47

If you make ACL for IPv4 with last rule

Priority                  Action          Logging              Protocol            IP Address  Wildcard Mask   IP Address  Wildcard Mask

2147483647         Deny           Disabled              Any (IP)            Any             Any                    Any              Any

and make a IPv4 rule with TCP port range 5129-5130 allow

 

then make a IPv6 ACL

Priority          Action           Logging              Protocol          IP Address           IP Address     Flow Label

1                  Permit           Disabled              Any                Any                      Any                Any

 

Bind for GE2 input ACL your IPv4 and IPv6 rules it blocks port 5130.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

haraldholub
Level 1
Level 1

‎09-11-2021 05:14 PM

I have a Cisco SG350X-24PD with firmware 2.5.5.47 and I have exactly the same issue.

 

IPv4 ACL:

PriorityActionLoggingTime Range ProtocolSource IP Address Destination IP Address Source PortDestination PortFlag SetDSCPIP PrecedenceICMP TypeICMP CodeIGMP Type
   NameState IP AddressWildcard MaskIP AddressWildcard Mask        
...                
8PermitDisabled  TCPAnyAnyAnyAnyAny50000-51000      

 

binding that ACL to a port or VLAN will allow connect using the ports in that range

 

then create an IPv6 ACL:

PriorityActionLoggingTime Range ProtocolSource Destination Source PortDestination PortFlow LabelFlag SetDSCPIP PrecedenceICMP TypeICMP Code
   NameState IP AddressPrefixIP AddressPrefix        
1PermitDisabled  AnyAny Any   Any     

 

binding both ACLs to the port or VLAN will block the ports in that range.

 

 

 

0 Helpful

haraldholub
Level 1
Level 1
In response to haraldholub

‎09-11-2021 05:43 PM

The problem is also with QoS advanced mode when a MAC ACL is used in a class map together with this IPv4 ACL, then mapping to a policy and binding to a port:
For testing I created the following MAC based ACL additionally tot he both ACLs above:
Priority Action Logging Time Range Destination Source VLAN ID 802.1p 802.1p Mask Ethertype
Name State MAC Address Wildcard Mask MAC Address Wildcard Mask
1 Permit Disabled Any Any Any Any
... then creating a class-map:
class-map cmap_test match-any
match ipv4_acl_test
match mac_acl_test
... then adding to a policy map
policy-map pmap_test
class cmap_test
... then binding to a port
interface gi1/0/1
service-policy input pmap_test
... all ports 50000-51000 are blocked; when I remove the MAC basec ACL from the class map, then the ports are being allowed. When I add the IPv6 ACL to the class-map then the ports are blocked again.
0 Helpful

haraldholub
Level 1
Level 1
In response to haraldholub

‎09-12-2021 06:18 AM

With the latest firmware release 2.5.8.12 the problem still exists.

0 Helpful
Customers Also Viewed These Support Documents