Solved: ACL not working as intended

Ryan17 · ‎09-20-2017

I am trying to apply an ACL that functions as a 'blacklist' as oppsed to a 'whitelist'.

The intenet is to block specific IPs from accessing an entire VLAN.

This is a temporary solution until I can place a proper firewall between these segments.

after applying the ACL outbound on the vlan interface I was still able to reach hosts on the vlan from hosts included in the object group defined in the DENY rule of the ACL.

Your help is much appreciated.

Thank you.

here is my config:

object-group ip address BlockedIPsObjGroup
10 192.168.14.226/32
20 192.168.15.28/32
30 192.168.15.29/32
40 192.168.15.40/29

ip access-list BlockIPsACL
10 deny ip addrgroup BlockedIPsObjGroup 10.21.0.0/24
20 permit ip any any

interface Vlan21
no shutdown
mtu 9126
ip access-group BlockIPsACL out
ip address 10.21.0.2/24
vrrp 21
priority 90
authentication text ******
address 10.21.0.1
no shutdown

Ryan17 · ‎09-20-2017

Actually, this is working as intended. I just missed a major piece to the puzzle.

Most of the hosts I was trying to Deny are load balanced servers.

These Servers use the LB as their gateway and are NAT'd on the way out behind their virtual service's IP.

That IP wasn't in the list...

Sometimes things are clearer the next day.

Thanks for the help everyone!

View solution in original post

Georg Pauwen · ‎09-20-2017

Hello,

try to change your object group from ip address to network:

object-group network BlockedIPsObjGroup

Actually, try the format below:

object-group network BlockedIPsObjGroup
10 host 192.168.14.226
20 host 192.168.15.28
30 host 192.168.15.29
40 192.168.15.40/29

RyanB · ‎09-20-2017

I agree with this answer, but I dont have access to an IOS new enough to support object-groups. So...just to piggy back on the original question, for clarification...

What's the difference between:

object-group network
object-group ip address

...when specified in an ACL?

All I can find in Cisco docs/Google is that "ip address" object-groups are used in Policy Based ACLs (PBACL), im just curious how they differ from each other when the contents of each group appear the same.

Georg Pauwen · ‎09-20-2017

Hello,

the reason I suggested to use 'network' as an object group is that the only examples and documentation I could find was with that option. I don't know if you can mix host addresses and network ranges when 'ip address' is specified, but with the 'network' option, it is explicitly stated that this is possible.

I used the document below for reference:

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-C17CA31E-9997-4255-B38E-5F03AF0E687B

Ryan17 · ‎09-20-2017

Actually, this is working as intended. I just missed a major piece to the puzzle.

Most of the hosts I was trying to Deny are load balanced servers.

These Servers use the LB as their gateway and are NAT'd on the way out behind their virtual service's IP.

That IP wasn't in the list...

Sometimes things are clearer the next day.

Thanks for the help everyone!

Georg Pauwen · ‎09-20-2017

Hello,

glad that you got it resolved, it is easy to miss a piece of the puzzle sometimes...