cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1827
Views
5
Helpful
19
Replies

Catalyst 2960S ACL issue

lorenzobexer
Level 1
Level 1

Hi,

i have some problems using ACL and copying a backup from the switch to an scp server.

Firmware version is 15.0(2)SE2, but i have seen the same behaviour on 12.0

This is the configuration of access lists/vty

Standard IP access list ACL_VTY_IN

    5 permit 192.168.0.123 (4 matches)

    40 deny   any log

Standard IP access list ACL_VTY_OUT

    10 permit 192.168.0.123

    20 deny   any log

line vty 0 4

access-class ACL_VTY_IN in

access-class ACL_VTY_OUT out

exec-timeout 15 0

logging synchronous

login authentication xxxxxxxx

length 0

transport input ssh

transport output ssh

Now, when logging into the switch with ssh and trying to backup the configuration (copy running-config scp://user:pw@192.168.0.123/somefile), it seems that the INBOUND ACL is used, as its match counter is increasing.

How can this behaviour be explained? I assumed, the OUT ACL would be used for outgoing connections?

Regards,

Johannes

19 Replies 19

I think it gets complex and gets subtle. It seems that we have quite different behaviors inbound and outbound. It becomes pretty clear that the access-class in ACL does need to permit the traffic since Johannes tells us that scp does not work if he removes that line from the ACL. And it does seem logical that if the router sees incoming traffic on TCP port 22 that it would evaluate that traffic with the access-class ACL.

The behavior outbound is different. Johannes tells us that scp works but that the line in the ACL outbound does not increment. That indicates that the router is not using the ACL to evaluate that traffic. Then the question becomes whether it is not incrementing because the router does not check traffic that originates from the router or is not incrementing because the router recognizes that it is not traffic originating from vty and therefore does not need to be checked.

It would not be difficult to set up a test of this. Perhaps Johannes can do this or perhaps you can do this. Use a router or switch. Do SSH to some other host (just to demonstrate that SSH does work). Then configure a standard ACL and do not have a permit for that host. Then configure under the vty access-class out. Then try the SSH to that host again. I predict that this time it will fail. Then add a statement to the ACL that does permit this host. Then I predict that SSH will work.

HTH

Rick

HTH

Rick

lorenzobexer
Level 1
Level 1