07-17-2023 03:15 PM
Hello Group-Members,
it's really strange but since setting up new access-lists (I never used them before) I noted that the lists stops working after 24h after applying it on the interface. This happens on a C9200L with IOS XE 17.3.7 (and on an elder C4500X).
My lists look like this:
ip access-list extended 111
remark packets on port 22,80,443 from host (10.0.0.10) to server (10.0.0.11) allowed
permit tcp host 10.0.0.10 range 0 65535 host 10.0.0.11 eq 22
permit tcp host 10.0.0.10 range 0 65535 host 10.0.0.11 eq 80
permit tcp host 10.0.0.10 range 0 65535 host 10.0.0.11 eq 443
remark only established connections from server to host allowed
permit tcp host 10.0.0.11 eq 22 host 10.0.0.10 range 0 65535 established
permit tcp host 10.0.0.11 eq 80 host 10.0.0.10 range 0 65535 established
permit tcp host 10.0.0.11 eq 443 host 10.0.0.10 range 0 65535 established
deny ip any any
The Interface of the server (10.0.0.11) looks like this:
interface GigabitEthernet1/0/11
description Server with IP 10.0.0.11
switchport access vlan 11
switchport mode access
switchport port-security violation restrict
switchport port-security mac-address-sticky
switchport port-security
ip access-group 111 in
spanning-tree portfast
The Interface of the Host (10.0.0.10) has no ip access-group entry.
After setting
ip access-group 111 in
the connection works for 24h (reproducible), then it stops. No access to the serverports 22,80,443 is possible anymore.
By reapplying it via:
no ip access-group 111 in
and
ip access-group 111 in
It's working for the next 24h...
Maybe it has something to do with the "established" part of the rule... but why in the world it stops from working after 24h ????
And why does it work after reapplying? If the rule is wrong the ACL should not work a second....
Any hints are welcome, thanks.
Solved! Go to Solution.
07-17-2023 03:45 PM - edited 07-17-2023 03:46 PM
Can you do the following'
Ip access-list extended 111
Deny ip any any log
Direct IN
Let see what traffic drop in this direction.
07-17-2023 03:39 PM
Hi @t.ricco
It can be a Bug but I believe it also can be related to the port-security. Port Security aging time is 24hrs. I would try to remove the port-security on the port and see if something change.
07-17-2023 03:45 PM - edited 07-17-2023 03:46 PM
Can you do the following'
Ip access-list extended 111
Deny ip any any log
Direct IN
Let see what traffic drop in this direction.
07-20-2023 07:01 AM
Thank you for all your replies.
I think the problem was linked to DHCP and the lease time of 24h. I found in log file that the server asked after 12h for a new lease, but didn't get an answer, due to the restrictions. After 24h the dhcp-address expired.
Therefore I added this lines to rules:
permit udp host 10.0.0.11 eq 68 any eq 67
permit udp host 10.0.0.1 eq 67 host 10.0.0.11 eq 68
If this does not work I'll remove DHCP and use fixed ip or use the mac-addresses instead.
07-18-2023 05:26 AM
Hmm, don't recall ever seeing a L3 ACL applied on a L2 interface. In theory, if hardware supports, don't see why it cannot be done. (Anyone seen this done?)
Just curious, was the range 0 65535 actually entered that way or did the switch generate that option?
@Flavio Miranda observation, about port security's 24 hour timer is interesting. Any messages in syslog at the 24 hour mark?
Do you have a support contract?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide