02-07-2009 02:40 PM - edited 03-06-2019 03:55 AM
I am getting strange results while applying ACLs on the Cat6500 Vlans. I am not able to understand the usage and difference between IN/OUT and whether it is used in the same manner.
Is Cat6500 ACL similar to Router IOS ACLs or do they work differently.
A brief example of ACL (in/out) across SVI's will be helpful.
Please assist.
Thanks.
Solved! Go to Solution.
02-09-2009 03:18 AM
Hello Cisco_Lite,
your ACL is just permitting http traffic from host 10.5.5.10 to 192.168.1.10 on tcp port 80 (server side is on 192.168.1.10)
There is an implicit deny ip any any so you apply the ACL you then cannot ping or telnet to an host in vlan10.
to do that you need to add
permit tcp 10.5.5.0 0.0.0.255 eq 23 any
! telnet side on host )
permit icmp 10.5.5.0 0.0.0.255 any
if you add these two lines you should be able to ping and to telnet to every host in vlan10.
in addition only host 10.5.5.10 can access a web page and only on host 192.168.1.10
in: means traffic entering on the SVI from the user side so traffic received.
at layer3 nothing change from a normal routed port on a router.
Hope to help
Giuseppe
02-07-2009 03:50 PM
Its the same as any other interface , out means towards the user subnet , in means coming into the 6500 from the users .
02-08-2009 02:43 AM
Hi
This used to confuse me as well. But SVI's are no different from normal interfaces.
Take SVI 10 as an example
interface Vlan10
ip address 10.0.0.1 255.255.255.0
ip access-group vlantest in
ip access-list extended vlantest
permit icmp 10.0.0.0 0.0.0.255 any
You can see that this ACL has been applied inbound and when I ping from host 10.0.0.2 to any other IP address (172.16.0.1 in this case ) you will see the hit count going up as below :-
R0#sh ip access-lists
Extended IP access list vlantest
10 permit icmp 10.0.0.0 0.0.0.255 any (15 matches)
Hope that helps
02-08-2009 10:31 AM
I am still finding it difficult to grasp
interface Vlan10
ip address 10.5.5.2 255.255.255.0
ip access-group VLAN10ACL in
Extended IP access list VLA10ACL
1 permit tcp 10.5.5.10 host 192.168.1.10 eq www
Now when I ping/telnet from outside to a host in VLAN10, it fails. But when I remove 'ip access-group VLAN10ACL' from the interface or put in 'permit ip any any', it works.
Isn't my ping/telnet an 'OUT' traffic, i.e. going to the VLAN10 subnet rather than 'IN'
What is the reason ?
Scratching my head ...
02-08-2009 10:48 AM
Are there any ACL bugs in Cat6500.
The CAT6500 version is
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXH3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 24-Jul-08 19:18 by prod_rel_team
ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1)
02-08-2009 11:24 AM
Hi Cisco_lite
If you have a CCO login, you can check the bug track under the support section to see if that version of IOS has any issues.
02-08-2009 11:15 AM
You are right it is going out bound, but must go into the SVI first right.
An SVI is just a virtual interface that you are sending the icmp echo request into first to be processed. The icmp echo reply is sent back 'out' to your host.
echo request
host (out)---> (in)VLAN10 -Routing process---> Fe1/0 (out)---> (in) end host
echo reply
end host (out)---> (in)Fe1/0 -Routing process--> VLAN10 (out)---> (in)host
Any clearer ?????
02-08-2009 11:54 AM
Do you mean that even though the traffic (ping) is initiated from one end only, the ACL will be applied in both directions as in your example.
So, with my configuration, the ACL is checked twice i.e.
echo request (in) VLAN10 &
echo reply (out) VLAN10
02-08-2009 11:57 AM
Exactly.
If you want to see this in action, add a deny log entry to the end of the acl's applied in both directions, then check your logging with the show log command( as long as you have logging enabled that is ), debug ip packet with the same acl's will also be useful ( unless your using cef switching then your debug will show nothing unless the traffic is sourced or destinted for that router or your have cef disabled for that incoming interface ).
02-08-2009 04:08 PM
So in your example shouldn't it be
echo reply
end host (IN)---> (in)Fe1/0 -Routing process--> VLAN10 (out)---> (OUT)host
Please note the difference in end hosts.
If I were to allow or block port 80 from outside, what would be my ACLs look like
(i.e. both IN/OUT)
Lastly, if I define IN ACL do I also have to define OUT ACL to avoid default deny ip any any due to presence of IN ACL (which is what I am experiencing). Meaning, would I always have to define IN/OUT to apply policies.
I have observed that if I were to open a port on IN then the same has to be opened on the OUT but on the source port. And if I were to open a port on OUT then the same has to be opened on the IN on the source port.
Please advise.
Thanks
02-09-2009 01:19 AM
Hi cisco_lite
Can you dump your config for me to look at ?
02-09-2009 03:18 AM
Hello Cisco_Lite,
your ACL is just permitting http traffic from host 10.5.5.10 to 192.168.1.10 on tcp port 80 (server side is on 192.168.1.10)
There is an implicit deny ip any any so you apply the ACL you then cannot ping or telnet to an host in vlan10.
to do that you need to add
permit tcp 10.5.5.0 0.0.0.255 eq 23 any
! telnet side on host )
permit icmp 10.5.5.0 0.0.0.255 any
if you add these two lines you should be able to ping and to telnet to every host in vlan10.
in addition only host 10.5.5.10 can access a web page and only on host 192.168.1.10
in: means traffic entering on the SVI from the user side so traffic received.
at layer3 nothing change from a normal routed port on a router.
Hope to help
Giuseppe
02-27-2009 04:58 AM
I have applied the access-list to SVI and the applications are now working. However, I can see some denied packets in the log. I have configured GLBP on the SVI's. Please advise what are these packets on UDP port 137,138,1985, 68, 67 etc.
Feb 27 16:34:29.890 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.31(42) -> 224.0.1.24(42), 1 packet
Feb 27 16:43:12.094 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.11(138) -> 192.168.10.255(138), 1 packet
Feb 27 16:44:12.122 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.32(138) -> 192.168.10.255(138), 1 packet
Feb 27 16:44:12.122 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.13(138) -> 192.168.10.255(138), 1 packet
Feb 27 16:45:12.150 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.32(137) -> 192.168.10.255(137), 1 packet
Feb 27 16:46:12.179 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.12(137) -> 192.168.10.255(137), 1 packet
Feb 27 16:46:12.179 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.31(137) -> 192.168.10.255(137), 1 packet
Feb 27 16:47:12.207 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.14(137) -> 192.168.10.255(137), 1 packet
Feb 27 16:47:12.207 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.3(1985) -> 224.0.0.2(1985), 122 packets
Feb 27 16:47:12.207 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 0.0.0.0(68) -> 255.255.255.255(67), 19 packets
Feb 27 16:49:01.700 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.32(68) -> 255.255.255.255(67), 1 packet
Feb 27 16:49:12.264 GST: %SEC-6-IPACCESSLOGP: list SVI_ACL denied udp 192.168.10.13(138) -> 192.168.10.255(138), 1 packet
02-27-2009 05:04 AM
137,138 are Windows filesharing ports
1985 is Hsrp from recollection
67 & 68 are DHCP/BOOTP
Jon
02-27-2009 08:44 AM
Thanks.
My concern is 1985. I have only configured GLBP. Would blocking 1985 cause any problems.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide