Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
2
Helpful
9
Replies

Access list in th switch 9200-48P

abdelmadjid.gueffaz
Level 1
Level 1

‎05-12-2023 07:46 AM

Dear all,

I created an extended access list in the switch to permit only some IPs to access a specific VLAN but it works for a couple of hours then it started to drop all traffic.

Is someone has an idea why this is happening?  

ip access-list extended traffic-to-security-lan
10 permit ip 192.168.1.0 0.0.0.255 10.10.20.0 0.0.0.255
20 permit ip host 10.10.1.132 10.10.20.0 0.0.0.255

30 deny ip any any

interface Vlan2300
ip address 10.20.0.254 255.255.255.0
ip access-group traffic-to-security-lan out

 

Labels:
0 Helpful
9 Replies 9

Kasun Bandara
VIP
VIP

‎05-12-2023 08:26 AM

hi @abdelmadjid.gueffaz since you are trying ACL in some intermediate device with in different network, make sure your traffic traverse through correct path and verify it. since we cannot see your complete network topology, i guess this can be traffic may trying to use different path.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

abdelmadjid.gueffaz
Level 1
Level 1
In response to Kasun Bandara

‎05-12-2023 08:38 AM

The topology is just the firewall and core switch which is 9200 that I am using for the ACL.

and the hosts in this specific Vlan are using the core switch as a gateway 10.20.0.254 

0 Helpful

Dustin Anderson
VIP
VIP

‎05-12-2023 08:32 AM

I would think it would block completely if the IP of the vlan is 10.20.0 but your ACL: only allows 10.10.20.0/24

Unless I am confused on your IP scheme I don't know how anything would be able to exit the vlan with that ACL.

abdelmadjid.gueffaz
Level 1
Level 1
In response to Dustin Anderson

‎05-12-2023 08:39 AM

it allows only the traffic coming from 192.168.1.0/24 network and the host 10.10.1.132 to access to this vlan

0 Helpful

Dustin Anderson
VIP
VIP
In response to abdelmadjid.gueffaz

‎05-12-2023 08:51 AM

But the ACL is traffic out of the vlan, so anything in the vlan can only talk to 10.10.20.0/24 if their IP is 192.168.1.0/24 network and the host 10.10.1.132. anything else would be dropped.

0 Helpful

Dustin Anderson
VIP
VIP
In response to abdelmadjid.gueffaz

‎05-12-2023 09:02 AM - edited ‎05-12-2023 09:03 AM

From what you are saying, you would want to apply it in.

From a port, think of it as in from a client, out to the network, for the vlan think of it as in to the vlan and out from the vlan.

 

Why it works for an hour or so is odd as it should be stopping as soon as you apply it since the ACL doesn't include established to remain.

0 Helpful

abdelmadjid.gueffaz
Level 1
Level 1
In response to Dustin Anderson

‎05-12-2023 09:48 AM

The ACL works fine for just a couple of hours and then it drops all the traffic with no exception.

0 Helpful

Rich R
VIP
VIP
In response to abdelmadjid.gueffaz

‎05-22-2023 06:56 AM

ACL either works or doesn't - I've never heard (in 23 years of working with IOS) of an ACL stop working after a few hours.  IOS bugs do sometimes blow the mind but I doubt that this is one.  There are bugs which can cause an ACL to stop working after you make a change in some older IOS and on some platforms ACL can malfunction if not enough TCAM but neither of those happen after a time.
What version of IOS are you using?

As the others have said your description does not match your configuration.
You should probably draw a diagram showing where each subnet and IP is located and which you want to allow/deny.

Generally speaking it's better to apply ACLs inbound rather than outbound - from a security point of view there is no point routing traffic across the router then dropping it outbound, just drop it inbound.  Outbound ACLs also don't filter traffic originated on the router itself - a loophole which is often overlooked - whereas an inbound ACL will filter transit and locally destined traffic.

Have you maybe got 10.20.0.0/24 confused with 10.10.20.0/24 ?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

MHM Cisco World
VIP
VIP
In response to abdelmadjid.gueffaz

‎05-22-2023 07:49 AM

if you have other L3 device, then there is chance that the traffic never hit this VLAN SVI but hit other l3 device and the traffic allow
and when it hit this VLAN SVI it drop. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card