Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
4
Helpful
7
Replies

Cisco ACL not working

Ux_UAFT
Level 1
Level 1

‎08-21-2024 10:52 AM

Have a core 9410 with an edge 3850.  Have vlan12 as a DMZ on the edge as 10.12.0.0/29 with vlan12 interface on the core as 10.12.0.1 and the vlan 12 int on the 3850 is 10.12.0.2.  

Want to block off production networks 192.168.100.0/24, 192.168.110.0/24, 192.168.111.0/24, 192.168.123.0/24 as well as 10.10.0.0/16.  I put in:

ip access-list extended DMZ12
deny ip 192.168.100.0 0.0.0.255 any
deny ip any 192.168.100.0 0.0.0.255
deny ip 192.168.110.0 0.0.0.255 any
deny ip any 192.168.110.0 0.0.0.255
deny ip 192.168.111.0 0.0.0.255 any
deny ip any 192.168.111.0 0.0.0.255
deny ip 192.168.123.0 0.0.0.255 any
deny ip any 192.168.123.0 0.0.0.255
permit icmp host 10.10.3.18 any
permit icmp host 10.101.0.6 0.0.0.7 host
deny ip 10.10.0.0 0.0.255.255 any
deny ip any 10.10.0.0 0.0.255.255
permit udp any host 8.8.8.8 eq 53
permit udp any host 8.8.4.4 eq 53
permit tcp any host 8.8.8.8 eq 53
permit tcp any host 8.8.4.4 eq 53
permit tcp any host 1.2.3.4 eq 443
permit tcp any host 2.3.4.5 eq 443
deny ip any any

I'm trying to ping from 10.10.3.18 but see a block incrementing on the deny ip any 10.10.0.0 0.0.255.255

Labels:
0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎08-21-2024 11:00 AM

Sorry can you more elaborate 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎08-21-2024 11:25 AM

permit icmp host 10.10.3.18 any

Then 

deny ip any 10.10.0.0 0.0.255.255

So 10.10.3.18 is permit what make this ACL not work is VLAN SVI subnet you apply ACL under it 

What is subnet and what is direction of acl

MHM

Ux_UAFT
Level 1
Level 1
In response to MHM Cisco World

‎08-21-2024 11:44 AM

10.10.3.18 is in 10.10.3.0/24 with gateway 10.10.3.1 on VLAN 3.   There is an out of band management subnet 192.168.100.1/24 on the core router (edge 3850 is 192.168.100.2). 

I applied ACL to interface vlan 12 on 9410 (had no effect on vlan 12 interface on edge 3850). 

interface Vlan12
ip address 10.12.0.1 255.255.255.248
ip access-group DMZ12 in

0 Helpful

MHM Cisco World
VIP
VIP
In response to Ux_UAFT

‎08-21-2024 11:51 AM

Apply on vlan 12  10.12.0.0 for traffic IN from host 10.10.3.x this not work 

You must know that VLAN ACL direction 

IN will filter traffic from subnet of same vlan

OUT will filter traffic from subnet of different vlan 

Except case you use vlan 12 as transit between two SW

MHM

Flavio Miranda
VIP
VIP

‎08-21-2024 11:10 AM

@Ux_UAFT 

 what you are seeing make sense

deny ip any 10.10.0.0 0.0.255.255

This line will device any traffic comes from 10.10.x.x which includes 10.10.3.18 

Ux_UAFT
Level 1
Level 1
In response to Flavio Miranda

‎08-21-2024 11:45 AM

That makes sense.  I was under impression ACL were read top to bottom.  How can I put a general block and then poke a hole for it? 

0 Helpful

Flavio Miranda
VIP
VIP
In response to Ux_UAFT

‎08-21-2024 11:54 AM

ACL is read  from the top to the bottom. But you are missing the return traffic from ICMP.

 

permit icmp host 10.10.3.18 any

permit icmp any  host 10.10.3.18

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card