08-19-2018 01:14 AM - edited 03-08-2019 03:56 PM
Hello all
We have one 2960G. We applied an inbound ACL on a port of that :
deny udp any any eq 53
permit ip any any
it's working fine. But there isn't any match hint for Deny ACE, Permit ACE has however!
Sho ip access-list
deny ........
permit .....(456454 matches)
It's working but without match hint for first line!
08-19-2018 02:05 AM
deny udp any any eq wq ( what is wq ?)
08-19-2018 08:35 PM
lo Balaji
That was an example.
We're blocking udp 53
08-19-2018 06:04 AM
Hi
What are you denying?
08-19-2018 08:36 PM
udp 53
first post is edited
08-20-2018 01:18 AM - edited 08-20-2018 01:19 AM
Hello
And you can confirm UDP 53 is in fact being denied?
show ip accounting access-violations ( if enabled), Also amend the ace of the acl to incorporate log or log-input
access-list 100 deny udp any any eq 53 log-input
08-20-2018 07:17 AM
Hello Paul
Yes I'm sure because when we apply acl, dns queries won't work. but when we remove acl from interface it works.
accounting violation is not enabled on interface.
08-20-2018 09:15 AM
Hi
When we configure access-list isn't mean that device filter the packets,its just for identify,
packets are filtered when we apply that ACL under interface.
08-26-2018 08:24 PM
Hi Sivam
You're right. But in this case, ACL is already applied to the interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide