cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3007
Views
0
Helpful
12
Replies

ACL with no hits

Marian Hercek
Level 1
Level 1

I have:

- Catalyst 6500,

- 30 VLANs defined, but for our case important ones are VLAN 10 and VLAN 20,

- my IP address is 192.168.10.10, server is 192.168.20.20,

- extended ACL applied on VLAN 10 on IN direction: first entry is "permit ip host 192.168.10.10 192.168.20.0 0.0.0.255"

- extended ACL applied on VLAN 20 on OUT direction: first entry is "permit ip host 192.168.10.10 192.168.20.0 0.0.0.255", following entries are deny and the last is "permit ip any any"

- VLAN 10 and VLAN 20 are directly connected,

- I can connect to any machine VLAN 20.

Problem:

- ACL on VLAN 20 on OUT direction: only the last entry "permit ip any any" gets hits/matches when I connect from 192.168.10.10 to 192.168.20.0/24

12 Replies 12

Plz post your sh access-l

Sent from Cisco Technical Support iPhone App

core#show access-lists VLAN_10

Extended IP access list VLAN_10

10 permit ip host 192.168.10.10 any (42337 matches)

11 permit ip host 192.168.10.11 any (12309 matches)

12 permit ip host 192.168.10.22 any (3871 matches)

13 permit ip host 192.168.10.30 any (12 matches)

100 deny  tcp any 192.168.20.0 0.0.0.255 eq 3389 (3 matches)

core#show access-lists VLAN_20

Extended IP access list VLAN_20

10 permit ip host 192.168.10.10 any

100 deny  tcp any 192.168.20.0 0.0.0.255 eq 3389 (5 matches)

300 permit any any (17369 matches)

core#show running-config interface vlan 10

interface Vlan10

ip address 192.168.10.1 255.255.255.0

ip access-group VLAN_10 in

end

core#show running-config interface vlan 20

interface Vlan20

ip address 192.168.20.1 255.255.255.0

ip access-group VLAN_20 out

end

Hi,

As a rule of thumb, you would normally place an extended ACL near the source. Try inserting this ACE and see if there's any hit.

ip access-list extended VLAN_10

5 permit ip host 192.168.10.10 host 192.168.20.20 log

Sent from Cisco Technical Support iPad App

Hi Marian,

Try to delete the entry "300 permit any any" and check if you still be able to access vlan 20 from vlan 10!

Is the routing enabled by the switch itself between the two vlans? Or there is an external default gateway?

Sent from Cisco Technical Support iPhone App

I deleted "300 permit any any" and still able to access VLAN 20.

No external default gateway and no hits on ACL VLAN_20.

It seems to be that the source ip when reach vlan 20 is not 192.168.10.10.

Come back with answers to verify.

Sent from Cisco Technical Support iPhone App

Source IP is definitely 192.168.10.10, I've checked by adding "5 permit ip host 192.168.10.10 host 192.168.20.20" on VLAN 10.

Also Wireshark on 192.168.20.20 confirms that source IP is 192.168.10.10.

Do you have a pair of core switches or is it just one core switch ?

If it is a pair have you applied the same acl to both vlan 20 interfaces ?

Jon

VSS via VSL.

Hello Marian,

Can you disable CEF on interface  vlan 20 and see?

interface vlan 20

no ip route-cache cef

no ip route-cache

regards

Harish.

core(config-if)#no ip route-cache cef

%ip route-cache cef cannot be disabled on this platform

Try to delete all entries leaving on "100 deny ...." To see if the traffic from vlan 10 to 20 will be blocked.

I was googling, found this interested doc about 6500 acls:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco