cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
0
Helpful
13
Replies

Having trouble with ACL on a VLAN

hankjoejr
Level 1
Level 1

Hello all. I have am new to this company and I inherited a few issues. One that I am trying to overcome is this. Our network has multiple VLANs, one being VLAN 8. This VLAN (172.17.8.x) is for our computers in the manufacturing area that are not allowed internet access. That is working fine. However, we have rolled out a new application that is located on our network (MPLS/Metro) in the cloud on a terminal server farm at 172.17.146.x. The application is a shortcut on the desktops that points to that network. It works, however is painfully slow to connect. When I lift the ACL it works fine of course. I need to figure out a way for these systems to connect fast, yet still have no access to the internet. Here is the current ACL:

Extended ACL   restricted_ext_access  IN

5 permit ip any 198.168.0.0 0.0.255.255 (connects them to mail. works fine)

10 permit ip 172.17.8.0 0.0.0.255 172.16.0.0 0.0.255.255 (connection to old system before update. still needed and works)

20 permit ip 172.17.8.0 0.0.0.255 172.17.0.0 0.0.255.255

30 permit udp any any eq bootps

40 permit udp any any eq bootpc

50 permit udp any eq domain any

60 permit tcp any any eq 5721 (this is for our Kaseya to work and it does)

Like I said with the ACL in place it works, but takes a minute and a half or so to connect. When ACL is not there it is fast. Attached is the ACL and the Sh run for that VLAN interface. The corporate VLAN 5 and 6 work fine, but no ACL for them. I need to keep the VLAN 8 from being able to surf the web, etc. Thanks!

13 Replies 13

Francesco Molino
VIP Alumni
VIP Alumni

Hi

What kind of application you are trying to reach? 

Maybe there is some specific ports or access you need to connect while connecting to this app?

Could you add a deny any any statement with log options, just for a specific period in order to check check if you are missing some open ports?

Thanks so much


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks for the quick reply. The application is called IQMS. All systems connect to it like this:

https://gateway.domainname.com/rdweb

Gateway.domainname.com is the internal ip of 172.17.146.50.

I could try to add the deny any any, but my issue is that the company runs 24x7 but may be able to try it real fast. If I were to do that, where/how do I find the logs? Thanks again

If you do deny ip any any log you will find logs by issuing show log on the switch / router. Be careful to add at the last. For that:

- Ip access-list extended restricted_ext_access

100 deny ip any any log 

Or you can remove acl from interface, create a test acl matching traffic from your lan to your server and do a debug ip packet 100 (100 will correspond to acl number you've created)

Or monitor traffic by using wireshark 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

So adding the 100 deny ip any any log is in theory the same as the explicit already in place correct? By manually adding it will log what is failing so I can check. What bothers me is that it works so nothing is getting blocked, just slow. I will do this tomorrow if that deny is the same as the explicit already in place. Thanks again!

Yes this is same as implicit deny. The thing is that without acl it works perfectly. 

I don't see why it slower with acl except that's something is blocked going to your application and may trigger a resend of transactions. 

The slow forwarding could be done also from high cpu or TCAM memory...

Did you checked the cpu process just in case but i'll be sure that this part is correct. 

Could you also issue the command:

show platform health


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

This is what i got from the log in the attachment. Hope this helps get this resolved. Thanks.

i created a rule for this and it gets permitted, however the issue still remains.

That multicast address is used for LLMNR. This protocol is native on Windows machines to perform name resolution without requiring any dns server.

Question very basic, does your dns are working correctly for that specific application from your host when acl is configured?

could you do a nslookup from your machine pointing to your application hostname?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes I can successfully connect and I have attached a screenshot from a system on the VLAN8 and it is identical to the VLAN that can connect without issue. Can I go ahead and remove the line for the LLMNR?

Yes you can remove the line for LLMNR. Did you checked the TCAM and CPU?

Is it possible to do some debugging on your switch?

the goal would be to create an acl matching traffic from specific host not on vlan 8 and run a debug ip packets on this acl. It's to have a view of what traffic should be allowed while user accessing this website.

The configuration looks like:

access-list 100 permit ip host 172.17.x.x  any

access-list 100 permit ip any host 172.17.x.x

debug ip packet 100


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks for the information. I will try this today and get back with you.

I haven't been able to do this yet. I did create an new acl, just about as simple as it can be...

VLAN8_INBOUND -in            (not sure if I actually need this)

10 permit ip any any

VLAN_OUTBOUND out

10 deny tcp any eq www any

20 permit ip any any

Some systems work faster than others. I am not sure if it can get any simpler than that. Still, when the ACL is gone, all systems are fast.

To the debug, if you create a open acl like you said it will better to view which traffic needs to be allowed and which could be denied when analyzing traces. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Review Cisco Networking for a $25 gift card