cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1708
Views
0
Helpful
8
Replies

2960X ACL Stopped working

Tom.R
Level 1
Level 1

Hello, I have a cisco 2960X-24TS-L with an access list to restrict access to a single server. I have attached a diagram of the ACL and what we're trying to accomplish. It DID work for about 6 months. The VM's on the server host need to see the other VM's on the host, and they could. But now we made a slight change to the ACL and now thte VM's can't see each other. I've even reverted back to an original config and nothing. Being that they are local to each other I didn't think they needed an ACL entry since the ACL is applied on the physical interface matching only inbound traffic. The select users can hit the VM's fine but the VM's can't see each other now. 

8 Replies 8

Hello,

 

which IP address cannot see which IP address ? What changes did you make to the ACL ? Post the original and the changed ACL...

Here's how it works.

Users RDP to VM (10.10.20.147, 10.10.20.148), allowed by the ACCOUNTING TO VM's section. 

They then use a client on those VM's to connect to business specific VM's the same host (10.10.20.99, 10.10.20.251)

 

What you see in the image very close to the original ACL. We only added an additional host to the switch (port23) and an ACL entry to allow us access to see it (shown in red). It was then then where we ran into issues with the client applications not able to connect to the RDP VM's with the ACL enabled, and when we then added separate vlan tagging for the new host.

 

When we take the ACL out, everything works. 

 

I have attached what changes we made

Hello

 

remark VMs TO JDE
permit ip host 10.10.20.147 host 10.10.20.99 log
permit ip host 10.10.20.147 host 10.10.20.251 log
permit ip host 10.10.20.148 host 10.10.20.99 log
permit ip host 10.10.20.148 host 10.10.20.251 log

 

The above doesnt make sence , the acl is applied on switch but all these vms are internal to the host?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Sorry yeah we added that when we started having issues. 

 

You're right. That's why we're confused. The hosts on that server are all local to each other and shouldn't be affected by the inbound access list on the trunk port... which is right since they get no matches when we do sh access-list on the switch. But, nevertheless when the ACL is applied, the RDP VM's can't access the Bussiness VM's via their client. 

 

But in the beginning they could. 

Extended IP access list JDE-Access-Restriction
10 permit ip host 10.10.30.76 host 10.10.20.8 log (1019 matches)
20 permit ip host 10.10.30.206 host 10.10.20.8 log (3280 matches)
30 permit ip host 10.10.200.4 host 10.10.20.99 log (863 matches)
40 permit ip host 10.10.200.4 host 10.10.20.251 log (1317 matches)
50 permit ip host 10.10.200.4 host 10.10.20.147 log (1684 matches)
60 permit ip host 10.10.200.4 host 10.10.20.148 log (1820 matches)
70 permit ip host 10.10.200.4 host 10.10.30.231 log (11494 matches)
80 permit ip host 10.10.200.72 host 10.10.20.99 log (20 matches)
90 permit ip host 10.10.200.72 host 10.10.20.251 log (10 matches)
100 permit ip host 10.10.200.240 host 10.10.20.8 log (12 matches)
110 permit ip host 10.10.200.240 host 10.10.20.99 log (12 matches)
120 permit ip host 10.10.200.240 host 10.10.20.251 log (12 matches)
130 permit ip host 10.10.30.206 host 10.10.20.99 log
140 permit ip host 10.10.30.206 host 10.10.20.251 log
150 permit ip host 10.10.30.206 host 10.10.20.147 log
160 permit ip host 10.10.30.206 host 10.10.20.148 log
161 permit ip host 10.10.30.206 host 10.10.30.231 log (3456 matches)
170 permit ip host 10.10.20.10 host 10.10.20.99 log (159 matches)
180 permit ip host 10.10.20.10 host 10.10.20.251 log
190 permit ip host 10.10.30.193 host 10.10.20.99
200 permit ip host 10.10.30.193 host 10.10.20.251
210 permit ip host 10.10.20.94 host 10.10.20.99
220 permit ip host 10.10.20.94 host 10.10.20.251
230 permit ip host 10.10.30.24 host 10.10.20.251
240 permit ip host 10.10.30.24 host 10.10.20.99
250 permit ip host 10.10.30.24 host 10.10.20.147
260 permit ip host 10.10.30.24 host 10.10.20.148
270 permit ip host 10.10.20.58 host 10.10.20.147
280 permit ip host 10.10.20.58 host 10.10.20.148
290 permit ip host 10.10.20.91 host 10.10.20.147
300 permit ip host 10.10.20.91 host 10.10.20.148
310 permit ip host 10.10.30.190 host 10.10.20.147
320 permit ip host 10.10.30.190 host 10.10.20.148
330 permit ip host 10.10.30.90 host 10.10.20.147
340 permit ip host 10.10.30.90 host 10.10.20.148
350 permit ip host 10.10.20.94 host 10.10.20.147
360 permit ip host 10.10.20.94 host 10.10.20.148
370 permit ip host 10.10.20.88 host 10.10.20.147
380 permit ip host 10.10.20.88 host 10.10.20.148
390 permit ip host 10.10.20.79 host 10.10.20.147
400 permit ip host 10.10.20.79 host 10.10.20.148
410 permit ip host 10.10.30.103 host 10.10.20.147
420 permit ip host 10.10.30.103 host 10.10.20.148
430 permit ip host 10.10.30.135 host 10.10.20.147
440 permit ip host 10.10.30.135 host 10.10.20.148
450 permit ip host 10.10.130.238 host 10.10.20.147
460 permit ip host 10.10.130.238 host 10.10.20.148
470 permit ip host 10.10.20.164 host 10.10.20.147
480 permit ip host 10.10.20.164 host 10.10.20.148
490 permit ip host 10.10.20.179 host 10.10.20.147
500 permit ip host 10.10.20.179 host 10.10.20.148
510 permit ip host 10.10.20.75 host 10.10.20.147
520 permit ip host 10.10.20.75 host 10.10.20.148
530 permit ip host 10.10.30.195 host 10.10.20.147
540 permit ip host 10.10.30.195 host 10.10.20.148
550 permit ip host 10.10.20.137 host 10.10.20.147
560 permit ip host 10.10.20.137 host 10.10.20.148
570 permit ip host 10.10.20.136 host 10.10.20.147
580 permit ip host 10.10.20.136 host 10.10.20.148
590 permit ip host 10.10.20.230 host 10.10.20.147
600 permit ip host 10.10.20.230 host 10.10.20.148

!!! No Matches - hosts are local to each other !!! Yet when ACL is in place it stops them from communicating.
610 permit ip host 10.10.20.147 host 10.10.20.99 log
620 permit ip host 10.10.20.147 host 10.10.20.251 log
630 permit ip host 10.10.20.148 host 10.10.20.99 log
640 permit ip host 10.10.20.148 host 10.10.20.251 log

Hello


@Tom.R wrote:
But, nevertheless when the ACL is applied, the RDP VM's can't access the Bussiness VM's via their client.

Can you elaborate on the above..What aces in that access-list relate to the Extended IP access list JDE-Access-Restriction


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

 

!!! These allow the specific users to access the RDP VM's that have the business application on them !!!

 remark ACCOUNTING TO VMs
permit ip host 10.10.20.58 host 10.10.20.147
permit ip host 10.10.20.58 host 10.10.20.148
permit ip host 10.10.20.91 host 10.10.20.147
permit ip host 10.10.20.91 host 10.10.20.148
permit ip host 10.10.30.190 host 10.10.20.147
permit ip host 10.10.30.190 host 10.10.20.148
permit ip host 10.10.30.90 host 10.10.20.147
permit ip host 10.10.30.90 host 10.10.20.148
permit ip host 10.10.20.94 host 10.10.20.147
permit ip host 10.10.20.94 host 10.10.20.148
permit ip host 10.10.20.88 host 10.10.20.147
permit ip host 10.10.20.88 host 10.10.20.148
permit ip host 10.10.20.79 host 10.10.20.147
permit ip host 10.10.20.79 host 10.10.20.148
permit ip host 10.10.30.103 host 10.10.20.147
permit ip host 10.10.30.103 host 10.10.20.148
permit ip host 10.10.30.135 host 10.10.20.147
permit ip host 10.10.30.135 host 10.10.20.148
permit ip host 10.10.130.238 host 10.10.20.147
permit ip host 10.10.130.238 host 10.10.20.148
permit ip host 10.10.20.164 host 10.10.20.147
permit ip host 10.10.20.164 host 10.10.20.148
permit ip host 10.10.20.179 host 10.10.20.147
permit ip host 10.10.20.179 host 10.10.20.148
permit ip host 10.10.20.75 host 10.10.20.147
permit ip host 10.10.20.75 host 10.10.20.148
permit ip host 10.10.30.195 host 10.10.20.147
permit ip host 10.10.30.195 host 10.10.20.148
permit ip host 10.10.20.137 host 10.10.20.147
permit ip host 10.10.20.137 host 10.10.20.148
permit ip host 10.10.20.136 host 10.10.20.147
permit ip host 10.10.20.136 host 10.10.20.148
permit ip host 10.10.20.230 host 10.10.20.147
permit ip host 10.10.20.230 host 10.10.20.148

 

 

!!! These allow other systems to access the business specific VMs "JDE" (.99, .251) Monitoring etc. !!!

rremark VERITAS TO JDE
permit ip host 10.10.200.72 host 10.10.20.99 log
permit ip host 10.10.200.72 host 10.10.20.251 log
remark OpMGR TO SWITCH and JDE
permit ip host 10.10.200.240 host 10.10.20.8 log
permit ip host 10.10.200.240 host 10.10.20.99 log
permit ip host 10.10.200.240 host 10.10.20.251 log
remark MICHAEL TO JDE and VMs
permit ip host 10.10.30.206 host 10.10.20.99 log
permit ip host 10.10.30.206 host 10.10.20.251 log
permit ip host 10.10.30.206 host 10.10.20.147 log
permit ip host 10.10.30.206 host 10.10.20.148 log
permit ip host 10.10.30.206 host 10.10.30.231 log
remark CHACO TO JDE
permit ip host 10.10.20.10 host 10.10.20.99 log
permit ip host 10.10.20.10 host 10.10.20.251 log

I found out what was happening. 

The devices 10.10.20.10 has to talk to the Business specific VM's (.99, .251) which I have a rule for.

 

permit ip host 10.10.20.10 host 10.10.20.99 log
permit ip host 10.10.20.10 host 10.10.20.251 log

 

However for some reason I was seeing deny activity with 10.10.20.10 trying to communicate with the two RDP VM's (.147, .148) I added the statements below and now they're working. 

 

permit ip host 10.10.20.10 host 10.10.20.147 log
permit ip host 10.10.20.10 host 10.10.20.148 log

 

No idea why this device needs to see those hosts since it never did before and it worked months ago. Anyway, I hope this helps someone in the future. 

Review Cisco Networking for a $25 gift card