cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1040
Views
2
Helpful
4
Replies

access list stops working

t.ricco
Level 1
Level 1

Hello Group-Members,

it's really strange but since setting up new access-lists (I never used them before) I noted that the lists stops working after 24h after applying it on the interface. This happens on a C9200L with IOS XE 17.3.7 (and on an elder C4500X).

My lists look like this:

ip access-list extended 111
  remark packets on port 22,80,443 from host (10.0.0.10) to server (10.0.0.11) allowed
  permit tcp host 10.0.0.10 range 0 65535 host 10.0.0.11 eq 22
  permit tcp host 10.0.0.10 range 0 65535 host 10.0.0.11 eq 80
  permit tcp host 10.0.0.10 range 0 65535 host 10.0.0.11 eq 443
  remark only established connections from server to host allowed
  permit tcp host 10.0.0.11 eq 22 host 10.0.0.10 range 0 65535 established
  permit tcp host 10.0.0.11 eq 80 host 10.0.0.10 range 0 65535 established
  permit tcp host 10.0.0.11 eq 443 host 10.0.0.10 range 0 65535 established
  deny ip any any

 

The Interface of the server (10.0.0.11) looks like this:

interface GigabitEthernet1/0/11
  description Server with IP 10.0.0.11
  switchport access vlan 11
  switchport mode access
  switchport port-security violation restrict
  switchport port-security mac-address-sticky
  switchport port-security
  ip access-group 111 in
  spanning-tree portfast

The Interface of the Host (10.0.0.10) has no ip access-group entry.

After setting
ip access-group 111 in

the connection works for 24h (reproducible), then it stops. No access to the serverports 22,80,443 is possible anymore.

By reapplying it via:

no ip access-group 111 in

and

ip access-group 111 in

It's working for the next 24h...

Maybe it has something to do with the "established" part of the rule... but why in the world it stops from working after 24h ????

And why does it work after reapplying? If the rule is wrong the ACL should not work a second....

 

Any hints are welcome, thanks.

 

 

 

1 Accepted Solution

Accepted Solutions

Can you do the following'

Ip access-list extended 111

Deny ip any any log 

Direct IN 

Let see what traffic drop in this direction.

View solution in original post

4 Replies 4

Hi @t.ricco 

  It can be a Bug but I believe it also can be related to the port-security. Port Security  aging time is 24hrs.   I would try to remove the port-security on the port and see if something change. 

Can you do the following'

Ip access-list extended 111

Deny ip any any log 

Direct IN 

Let see what traffic drop in this direction.

Thank you for all your replies.

I think the problem was linked to DHCP and the lease time of 24h. I found in log file that the server asked after 12h for a new lease, but didn't get an answer, due to the restrictions. After 24h the dhcp-address expired.

Therefore I added this lines to rules:

permit udp host 10.0.0.11 eq 68 any eq 67
permit udp host 10.0.0.1 eq 67 host 10.0.0.11 eq 68


If this does not work I'll remove DHCP and use fixed ip or use the mac-addresses instead.


 

 

Joseph W. Doherty
Hall of Fame
Hall of Fame

Hmm, don't recall ever seeing a L3 ACL applied on a L2 interface.  In theory, if hardware supports, don't see why it cannot be done.  (Anyone seen this done?)

Just curious, was the range 0 65535 actually entered that way or did the switch generate that option?

@Flavio Miranda observation, about port security's 24 hour timer is interesting.  Any messages in syslog at the 24 hour mark?

Do you have a support contract?