Re: Access list in th switch 9200-48P

abdelmadjid.gueffaz · ‎05-12-2023

Dear all,

I created an extended access list in the switch to permit only some IPs to access a specific VLAN but it works for a couple of hours then it started to drop all traffic.

Is someone has an idea why this is happening?

ip access-list extended traffic-to-security-lan
10 permit ip 192.168.1.0 0.0.0.255 10.10.20.0 0.0.0.255
20 permit ip host 10.10.1.132 10.10.20.0 0.0.0.255

30 deny ip any any

interface Vlan2300
ip address 10.20.0.254 255.255.255.0
ip access-group traffic-to-security-lan out

Kasun Bandara · ‎05-12-2023

hi @abdelmadjid.gueffaz since you are trying ACL in some intermediate device with in different network, make sure your traffic traverse through correct path and verify it. since we cannot see your complete network topology, i guess this can be traffic may trying to use different path.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

abdelmadjid.gueffaz · ‎05-12-2023

The topology is just the firewall and core switch which is 9200 that I am using for the ACL.

and the hosts in this specific Vlan are using the core switch as a gateway 10.20.0.254

Dustin Anderson · ‎05-12-2023

I would think it would block completely if the IP of the vlan is 10.20.0 but your ACL: only allows 10.10.20.0/24

Unless I am confused on your IP scheme I don't know how anything would be able to exit the vlan with that ACL.

abdelmadjid.gueffaz · ‎05-12-2023

it allows only the traffic coming from 192.168.1.0/24 network and the host 10.10.1.132 to access to this vlan

Dustin Anderson · ‎05-12-2023

But the ACL is traffic out of the vlan, so anything in the vlan can only talk to 10.10.20.0/24 if their IP is 192.168.1.0/24 network and the host 10.10.1.132. anything else would be dropped.

Dustin Anderson · ‎05-12-2023

From what you are saying, you would want to apply it in.

From a port, think of it as in from a client, out to the network, for the vlan think of it as in to the vlan and out from the vlan.

Why it works for an hour or so is odd as it should be stopping as soon as you apply it since the ACL doesn't include established to remain.

abdelmadjid.gueffaz · ‎05-12-2023

The ACL works fine for just a couple of hours and then it drops all the traffic with no exception.

Rich R · ‎05-22-2023

ACL either works or doesn't - I've never heard (in 23 years of working with IOS) of an ACL stop working after a few hours. IOS bugs do sometimes blow the mind but I doubt that this is one. There are bugs which can cause an ACL to stop working after you make a change in some older IOS and on some platforms ACL can malfunction if not enough TCAM but neither of those happen after a time.
What version of IOS are you using?

As the others have said your description does not match your configuration.
You should probably draw a diagram showing where each subnet and IP is located and which you want to allow/deny.

Generally speaking it's better to apply ACLs inbound rather than outbound - from a security point of view there is no point routing traffic across the router then dropping it outbound, just drop it inbound. Outbound ACLs also don't filter traffic originated on the router itself - a loophole which is often overlooked - whereas an inbound ACL will filter transit and locally destined traffic.

Have you maybe got 10.20.0.0/24 confused with 10.10.20.0/24 ?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

MHM Cisco World · ‎05-22-2023

if you have other L3 device, then there is chance that the traffic never hit this VLAN SVI but hit other l3 device and the traffic allow
and when it hit this VLAN SVI it drop.

MHNaveen · ‎10-26-2024

HI, @abdelmadjid.gueffaz Some switches have limits on the number of ACEs (Access Control Entries) that can be processed or the number of flows they can handle before the ACL behavior degrades. If the switch is reaching a limit, this can cause inconsistent behavior or even start dropping packets unexpectedly. For example, in cisco 2960-X switch supports up to 256ACLs per switch.