cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1529
Views
0
Helpful
10
Replies

SGE2010P ACL

DJX995
Level 3
Level 3

When I try to apply an ACL to a port on my SGE2010P, I get the following error:

Can't bind acl/policy-map to an interface when the security suite is enabled in a per-port mode

I don't see an option where I can set the security suite mode.

1 Accepted Solution

Accepted Solutions

Hi Fratiani, I have identified the issue within the configuration.

security-suite enable command will not permit binding an acl to an interface, conversely, if an acl is bound to an interface, you may not use security-suite enable command.

This is directly related to

security-suite enable

security-suite dos protect add stacheldraht

securite-suite dos protect add invasor-trojan

security-suite add back-orifice-trojan

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

10 Replies 10

Tom Watts
VIP Alumni
VIP Alumni

Hi Fratiani, I've been trying to recreate the error with all Securty Suite options, I'm not able to. I've essentially enabled every security option on this switch and tested binding ACLs to the ports affected.

If you can do one of two things either-

1.) Factory reset the switch, create the ACL and bind it to the port

or

2.) Email me a telephone number so we can share a webex and take a look at your switch together

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hmmm, I figured I was just missing something simple.

Would you like my running config to see if you can recreate?

Otherwise, I'll see if I can find some time to reset the switch but I have a lot of stuff config'd.

Sure, email me the config. I'll dig through it this evening.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Fratiani, I have identified the issue within the configuration.

security-suite enable command will not permit binding an acl to an interface, conversely, if an acl is bound to an interface, you may not use security-suite enable command.

This is directly related to

security-suite enable

security-suite dos protect add stacheldraht

securite-suite dos protect add invasor-trojan

security-suite add back-orifice-trojan

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Thanks for the help.

I just turned off the security suite since I believe they are just ACLs anyway.

Now,

I was hoping someone could help me with an ACL now.

It seems that it is blocking all traffic whenever I apply it to the port.

Even traffic not on the 192.168.1.0 network.

Objective: create guest ACL.

Allow DNS,DHCP,Web to server from 192.168.1.0 network

Disallow all other internal access from 192.168.1.0 network.

Allow internet access.

    permit  tcp 192.168.1.0 0.0.0.255 53 host 192.168.2.10 53

    permit  udp 192.168.1.0 0.0.0.255 53 host 192.168.2.10 53

    permit  tcp 192.168.1.0 0.0.0.255 67 host 192.168.2.10 67

    permit  udp 192.168.1.0 0.0.0.255 67 host 192.168.2.10 67

    permit  tcp 192.168.1.0 0.0.0.255 68 host 192.168.2.10 68

    permit  udp 192.168.1.0 0.0.0.255 68 host 192.168.2.10 68

    permit  tcp 192.168.1.0 0.0.0.255 any host 192.168.2.10 80

    permit  tcp 192.168.1.0 0.0.0.255 any host 192.168.2.10 443

    deny    ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

    deny    ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

    deny    ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

    permit  ip any any

Fratiani, try to allow an additional permit such as

permit tcp host 192.168.2.10 53 192.168.1.0.0 0.0.0.255 53

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

So you're saying try to put in reverse statements...

I would but my problem is even before that: it blocks traffic not on the 192.168.1.0 network.

I have a machine on the 192.168.0.0 & 192.168.2.0 network and this ACL, once applied, will block traffic from those machines to the device behind the ACL.

Every deny statement specifies specifically the 192.168.1.0 network as the source.

Why would it block traffic not from that network?

The ACL works ingress only. The traffic may permit 1 direction but may not permit coming back.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Before I start making any changes I just want to see one thing.

I may be off my rocker but lemme see here...

Take for instance:

My orig ACL is applied on Port 20

192.168.0.250 is trunked on Port 20

Passes traffic for:

192.168.0.0 (Native VLAN)

192.168.1.0 (VLAN 2)

192.168.2.0 (VLAN 3)

Ping 192.168.0.250 from 192.168.2.50 = Blocked

Send: 192.168.2.50 ---> 192.168.0.250

Reply: 192.168.0.250 ---> 192.168.2.50

In this case, the source is NEVER the 192.168.1.0 network.

It should NEVER match any of the entries except the last permit any any.

Traffic is blocked though.

I may be way off base but this is the way I see it.

Please post a topology showing how things interconnect where and the config file (censor anything sensitive)

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/