cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1719
Views
5
Helpful
19
Replies

ACLs on CAT6500

cisco_lite
Level 1
Level 1

I am getting strange results while applying ACLs on the Cat6500 Vlans. I am not able to understand the usage and difference between IN/OUT and whether it is used in the same manner.

Is Cat6500 ACL similar to Router IOS ACLs or do they work differently.

A brief example of ACL (in/out) across SVI's will be helpful.

Please assist.

Thanks.

1 Accepted Solution

Accepted Solutions

Hello Cisco_Lite,

your ACL is just permitting http traffic from host 10.5.5.10 to 192.168.1.10 on tcp port 80 (server side is on 192.168.1.10)

There is an implicit deny ip any any so you apply the ACL you then cannot ping or telnet to an host in vlan10.

to do that you need to add

permit tcp 10.5.5.0 0.0.0.255 eq 23 any

! telnet side on host )

permit icmp 10.5.5.0 0.0.0.255 any

if you add these two lines you should be able to ping and to telnet to every host in vlan10.

in addition only host 10.5.5.10 can access a web page and only on host 192.168.1.10

in: means traffic entering on the SVI from the user side so traffic received.

at layer3 nothing change from a normal routed port on a router.

Hope to help

Giuseppe

View solution in original post

19 Replies 19

glen.grant
VIP Alumni
VIP Alumni

Its the same as any other interface , out means towards the user subnet , in means coming into the 6500 from the users .

adamclarkuk_2
Level 4
Level 4

Hi

This used to confuse me as well. But SVI's are no different from normal interfaces.

Take SVI 10 as an example

interface Vlan10

ip address 10.0.0.1 255.255.255.0

ip access-group vlantest in

ip access-list extended vlantest

permit icmp 10.0.0.0 0.0.0.255 any

You can see that this ACL has been applied inbound and when I ping from host 10.0.0.2 to any other IP address (172.16.0.1 in this case ) you will see the hit count going up as below :-

R0#sh ip access-lists

Extended IP access list vlantest

10 permit icmp 10.0.0.0 0.0.0.255 any (15 matches)

Hope that helps

I am still finding it difficult to grasp

interface Vlan10

ip address 10.5.5.2 255.255.255.0

ip access-group VLAN10ACL in

Extended IP access list VLA10ACL

1 permit tcp 10.5.5.10 host 192.168.1.10 eq www

Now when I ping/telnet from outside to a host in VLAN10, it fails. But when I remove 'ip access-group VLAN10ACL' from the interface or put in 'permit ip any any', it works.

Isn't my ping/telnet an 'OUT' traffic, i.e. going to the VLAN10 subnet rather than 'IN'

What is the reason ?

Scratching my head ...

Are there any ACL bugs in Cat6500.

The CAT6500 version is

Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXH3, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Thu 24-Jul-08 19:18 by prod_rel_team

ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)

Hi Cisco_lite

If you have a CCO login, you can check the bug track under the support section to see if that version of IOS has any issues.

You are right it is going out bound, but must go into the SVI first right.

An SVI is just a virtual interface that you are sending the icmp echo request into first to be processed. The icmp echo reply is sent back 'out' to your host.

echo request

host (out)---> (in)VLAN10 -Routing process---> Fe1/0 (out)---> (in) end host

echo reply

end host (out)---> (in)Fe1/0 -Routing process--> VLAN10 (out)---> (in)host

Any clearer ?????

Do you mean that even though the traffic (ping) is initiated from one end only, the ACL will be applied in both directions as in your example.

So, with my configuration, the ACL is checked twice i.e.

echo request (in) VLAN10 &

echo reply (out) VLAN10

Exactly.

If you want to see this in action, add a deny log entry to the end of the acl's applied in both directions, then check your logging with the show log command( as long as you have logging enabled that is ), debug ip packet with the same acl's will also be useful ( unless your using cef switching then your debug will show nothing unless the traffic is sourced or destinted for that router or your have cef disabled for that incoming interface ).

So in your example shouldn't it be

echo reply

end host (IN)---> (in)Fe1/0 -Routing process--> VLAN10 (out)---> (OUT)host

Please note the difference in end hosts.

If I were to allow or block port 80 from outside, what would be my ACLs look like

(i.e. both IN/OUT)

Lastly, if I define IN ACL do I also have to define OUT ACL to avoid default deny ip any any due to presence of IN ACL (which is what I am experiencing). Meaning, would I always have to define IN/OUT to apply policies.

I have observed that if I were to open a port on IN then the same has to be opened on the OUT but on the source port. And if I were to open a port on OUT then the same has to be opened on the IN on the source port.

Please advise.

Thanks

Hi cisco_lite

Can you dump your config for me to look at ?

Hello Cisco_Lite,

your ACL is just permitting http traffic from host 10.5.5.10 to 192.168.1.10 on tcp port 80 (server side is on 192.168.1.10)

There is an implicit deny ip any any so you apply the ACL you then cannot ping or telnet to an host in vlan10.

to do that you need to add

permit tcp 10.5.5.0 0.0.0.255 eq 23 any

! telnet side on host )

permit icmp 10.5.5.0 0.0.0.255 any

if you add these two lines you should be able to ping and to telnet to every host in vlan10.

in addition only host 10.5.5.10 can access a web page and only on host 192.168.1.10

in: means traffic entering on the SVI from the user side so traffic received.

at layer3 nothing change from a normal routed port on a router.

Hope to help

Giuseppe

I have applied the access-list to SVI and the applications are now working. However, I can see some denied packets in the log. I have configured GLBP on the SVI's. Please advise what are these packets on UDP port 137,138,1985, 68, 67 etc.

Feb 27 16:34:29.890 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.31(42) -> 224.0.1.24(42), 1 packet

Feb 27 16:43:12.094 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.11(138) -> 192.168.10.255(138), 1 packet

Feb 27 16:44:12.122 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.32(138) -> 192.168.10.255(138), 1 packet

Feb 27 16:44:12.122 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.13(138) -> 192.168.10.255(138), 1 packet

Feb 27 16:45:12.150 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.32(137) -> 192.168.10.255(137), 1 packet

Feb 27 16:46:12.179 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.12(137) -> 192.168.10.255(137), 1 packet

Feb 27 16:46:12.179 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.31(137) -> 192.168.10.255(137), 1 packet

Feb 27 16:47:12.207 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.14(137) -> 192.168.10.255(137), 1 packet

Feb 27 16:47:12.207 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.3(1985) -> 224.0.0.2(1985), 122 packets

Feb 27 16:47:12.207 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 0.0.0.0(68) -> 255.255.255.255(67), 19 packets

Feb 27 16:49:01.700 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.32(68) -> 255.255.255.255(67), 1 packet

Feb 27 16:49:12.264 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.13(138) -> 192.168.10.255(138), 1 packet

137,138 are Windows filesharing ports

1985 is Hsrp from recollection

67 & 68 are DHCP/BOOTP

Jon

Thanks.

My concern is 1985. I have only configured GLBP. Would blocking 1985 cause any problems.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: