09-28-2012 10:49 AM - edited 03-07-2019 09:10 AM
I have:
- Catalyst 6500,
- 30 VLANs defined, but for our case important ones are VLAN 10 and VLAN 20,
- my IP address is 192.168.10.10, server is 192.168.20.20,
- extended ACL applied on VLAN 10 on IN direction: first entry is "permit ip host 192.168.10.10 192.168.20.0 0.0.0.255"
- extended ACL applied on VLAN 20 on OUT direction: first entry is "permit ip host 192.168.10.10 192.168.20.0 0.0.0.255", following entries are deny and the last is "permit ip any any"
- VLAN 10 and VLAN 20 are directly connected,
- I can connect to any machine VLAN 20.
Problem:
- ACL on VLAN 20 on OUT direction: only the last entry "permit ip any any" gets hits/matches when I connect from 192.168.10.10 to 192.168.20.0/24
09-28-2012 02:56 PM
Plz post your sh access-l
Sent from Cisco Technical Support iPhone App
09-29-2012 05:49 AM
core#show access-lists VLAN_10
Extended IP access list VLAN_10
10 permit ip host 192.168.10.10 any (42337 matches)
11 permit ip host 192.168.10.11 any (12309 matches)
12 permit ip host 192.168.10.22 any (3871 matches)
13 permit ip host 192.168.10.30 any (12 matches)
100 deny tcp any 192.168.20.0 0.0.0.255 eq 3389 (3 matches)
core#show access-lists VLAN_20
Extended IP access list VLAN_20
10 permit ip host 192.168.10.10 any
100 deny tcp any 192.168.20.0 0.0.0.255 eq 3389 (5 matches)
300 permit any any (17369 matches)
core#show running-config interface vlan 10
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group VLAN_10 in
end
core#show running-config interface vlan 20
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group VLAN_20 out
end
09-29-2012 08:15 AM
Hi,
As a rule of thumb, you would normally place an extended ACL near the source. Try inserting this ACE and see if there's any hit.
ip access-list extended VLAN_10
5 permit ip host 192.168.10.10 host 192.168.20.20 log
Sent from Cisco Technical Support iPad App
09-29-2012 06:08 AM
Hi Marian,
Try to delete the entry "300 permit any any" and check if you still be able to access vlan 20 from vlan 10!
Is the routing enabled by the switch itself between the two vlans? Or there is an external default gateway?
Sent from Cisco Technical Support iPhone App
09-29-2012 11:18 AM
I deleted "300 permit any any" and still able to access VLAN 20.
No external default gateway and no hits on ACL VLAN_20.
09-29-2012 06:10 AM
It seems to be that the source ip when reach vlan 20 is not 192.168.10.10.
Come back with answers to verify.
Sent from Cisco Technical Support iPhone App
09-29-2012 11:20 AM
Source IP is definitely 192.168.10.10, I've checked by adding "5 permit ip host 192.168.10.10 host 192.168.20.20" on VLAN 10.
Also Wireshark on 192.168.20.20 confirms that source IP is 192.168.10.10.
09-29-2012 12:57 PM
Do you have a pair of core switches or is it just one core switch ?
If it is a pair have you applied the same acl to both vlan 20 interfaces ?
Jon
09-29-2012 10:28 PM
VSS via VSL.
09-29-2012 11:31 PM
Hello Marian,
Can you disable CEF on interface vlan 20 and see?
interface vlan 20
no ip route-cache cef
no ip route-cache
regards
Harish.
10-01-2012 01:23 AM
core(config-if)#no ip route-cache cef
%ip route-cache cef cannot be disabled on this platform
09-29-2012 11:57 AM
Try to delete all entries leaving on "100 deny ...." To see if the traffic from vlan 10 to 20 will be blocked.
I was googling, found this interested doc about 6500 acls:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: