cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1759
Views
0
Helpful
5
Replies

Catalyst 2960 switch ACL list on port is not working properly

Kelvin00846
Level 1
Level 1

My purpose and therefore configuration are very simple, but somehow it does not work.

 

Purpose: create ACL in 2960 to deny all traffic coming from 192.168.2.60 to 192.168.1.50 via the port GigabitEthernet1/0/10. It permits all other types of traffic.

 

access-list 105 deny ip host 192.168.2.60 host 192.168.1.50
access-list 105 permit ip any any

 

interface GigabitEthernet1/0/10
switchport access vlan 6 < the port GigabitEthernet1/0/10 belongs to vlan 6
ip access-group 105 in

 

Result: The traffic coming from 192.168.2.60 can still reach192.168.1.50 via the port GigabitEthernet1/0/10. How come???

 

 

2 Accepted Solutions

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Kelvin,

That's strange - certainly, the configuration itself appears to be completely okay.

Pardon me if this question appears stupid, but is the 192.168.2.60 truly connected to Gi1/0/10? I'm wondering if Gi1/0/10 is perhaps connected to 192.168.1.50 instead because in that case, the ACL would indeed be ineffective (since the inbound traffic into Gi1/0/10 in that case would have the source and destination IP addresses swapped).

Is this a production switch or a lab setup? What is the exact IOS version running on it?

Best regards,
Peter

 

View solution in original post

Hi Kelvin,

Keep in mind that the ACL you placed on Gi1/0/10 is looking at the traffic in the inbound direction - from the viewpoint of the port itself. Traffic that comes into Gi1/0/10 is originated by the device connected to Gi1/0/10 which is 192.168.1.50. If you want to block the conversation between 192.168.1.50 and 192.168.2.60, you need to match the source and destination IP addresses for this conversation as they appear in the inbound direction into Gi1/0/10: the source IP being 192.168.1.50, the destination IP being 192.168.2.60.

Your original ACL would work if you applied it in the outbound direction. However, for switchports on Catalyst switches, ACLs can only be applied in the inbound direction; outbound ACLs on switchports are not supported.

Would this explain the behavior? Please feel welcome to ask further!

Best regards,
Peter

 

View solution in original post

5 Replies 5

Peter Paluch
Cisco Employee
Cisco Employee

Kelvin,

That's strange - certainly, the configuration itself appears to be completely okay.

Pardon me if this question appears stupid, but is the 192.168.2.60 truly connected to Gi1/0/10? I'm wondering if Gi1/0/10 is perhaps connected to 192.168.1.50 instead because in that case, the ACL would indeed be ineffective (since the inbound traffic into Gi1/0/10 in that case would have the source and destination IP addresses swapped).

Is this a production switch or a lab setup? What is the exact IOS version running on it?

Best regards,
Peter

 

Hi Peter,

  

  Thanks for your advice. Your question really helped sort things out!

 

Here is the physical connection:

192.168.1.50 connected directly to Cisco 2960 GigabitEthernet1/0/10 --> Cisco Core Switch 3850 -->192.168.2.60

 

My purpose and configuration:

Create ACL in 2960 to deny all traffic coming from 192.168.2.60 to 192.168.1.50 via the port GigabitEthernet1/0/10. It permits all other types of traffic.

 

access-list 105 deny ip host 192.168.2.60 host 192.168.1.50
access-list 105 permit ip any any

 

Expected result:

I thought it was correct to use access-list 105 deny ip host <source IP which is 192.168.2.60> host <destination IP 192.168.1.50>. Was not it? The remote device 192.168.2.60 is regarded as source device/IP, and the directly connected device 192.168.1.50 is destination device/IP.

 

New configuration:

access-list 105 deny ip host 192.168.2.60 host 192.168.1.50

access-list 105 deny ip host 192.168.1.50 host 192.168.2.60
access-list 105 permit ip any any

 

Result: The traffic coming from 192.168.2.60 cannot reach 192.168.1.50 via the port GigabitEthernet1/0/10.  The result is what we wanted.

Hi Kelvin,

Keep in mind that the ACL you placed on Gi1/0/10 is looking at the traffic in the inbound direction - from the viewpoint of the port itself. Traffic that comes into Gi1/0/10 is originated by the device connected to Gi1/0/10 which is 192.168.1.50. If you want to block the conversation between 192.168.1.50 and 192.168.2.60, you need to match the source and destination IP addresses for this conversation as they appear in the inbound direction into Gi1/0/10: the source IP being 192.168.1.50, the destination IP being 192.168.2.60.

Your original ACL would work if you applied it in the outbound direction. However, for switchports on Catalyst switches, ACLs can only be applied in the inbound direction; outbound ACLs on switchports are not supported.

Would this explain the behavior? Please feel welcome to ask further!

Best regards,
Peter

 

Thanks Peter,

 For me it is easier to understand that my original ACL would work if it was applied in the outbound direction.

Kelvin,

That is okay. Aligning ACLs, the source and destination addresses, and the direction of traffic flows is not always intuitive. It requires some getting used to. You are getting there. Either way, I am glad you could get it working!

Best regards,
Peter

 
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: