How do i verify this ACL is properly configured

Temitopeogunwola · ‎04-01-2020

I am new in this enviroment, my manager feels there something wrong with ACL, its seems to be blocking some traffic .How do i verify if the ACL is properly applied to the vlan inteface 34

Extended IP access list 134
9 permit ip any host 10.20.0.119
10 permit ip any host 10.20.28.1 (109 matches)
20 permit ip any host 10.20.22.1
29 permit ip 10.20.28.0 0.0.1.255 host 192.168.254.22
30 permit ip 10.20.28.0 0.0.1.255 host 192.168.154.205
31 permit ip 10.20.28.0 0.0.1.255 host 10.20.5.22
32 permit ip 10.20.28.0 0.0.1.255 host 10.20.5.23
40 permit udp 10.20.28.0 0.0.1.255 host 10.20.5.14 eq domain
50 permit udp 10.20.28.0 0.0.1.255 host 10.20.5.15 eq domain
60 permit ip host 10.20.28.10 host 192.168.154.49
61 permit ip host 10.20.28.10 host 192.168.154.71
62 permit ip host 10.20.28.10 any
70 permit ip host 10.20.28.11 host 192.168.154.49
71 permit ip host 10.20.28.11 any
80 permit ip host 10.20.28.12 host 192.168.154.49
81 permit ip host 10.20.28.12 host 192.168.154.71
82 permit ip host 10.20.28.12 any
90 permit ip host 10.20.28.13 host 192.168.154.49
91 permit ip host 10.20.28.13 any
92 permit ip host 10.20.28.15 any
100 deny ip any 10.0.0.0 0.255.255.255 log-input (872806 matches)
110 deny ip any 172.16.0.0 0.0.15.255
120 deny ip any 192.168.0.0 0.0.255.255 (54250 matches)
130 permit ip any any

#show ip interface vlan 34
Vlan34 is up, line protocol is up
Internet address is 10.20.28.1/23
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1522 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing Common access list is not set
Outgoing access list is not set
Inbound Common access list is not set
Inbound access list is 134
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
Associated unicast routing topologies:
Topology "base", operation state is UP
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Probe proxy name replies are disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: Access List, MCI Chec

Reza Sharifi · ‎04-01-2020

Hi,

the output of "show run int vlan 34" should show you if access list 134 has been applied to the interface.

HTH

Cristian Matei · ‎04-01-2020

Hi,

Not sure what you mean by properly applied. The best way to "confirm" if the ACL is applied or not, is with the command you just used: "show ip interface VLan34", and there you have your response:

#show ip interface vlan 34
Vlan34 is up, line protocol is up
Internet address is 10.20.28.1/23
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1522 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing Common access list is not set
Outgoing access list is not set
Inbound Common access list is not set
Inbound access list is 134

There are 3 deny entries in your ACL, you could use the "log" option on all three to identify matching traffic. You could also use the command " ip access-list log-update threshold 1", in order for the router to log a message on each hit. Ensure to remove this last command, as it may cause some load on the router's CPU. But temporarily, for troubleshooting, it's good.

Regards,

Cristian Matei.

Temitopeogunwola · ‎04-03-2020

Thanks a lot, our reason for concern is that we are seeing a block from access-list 134, from vlan 34..so am bothered why this is happening.What do you advice I do to fix this?
<190>56703: *Mar 31 15:59:38.705: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.20.29.78(54988) (Vlan34 004e.006e.0000) -> 10.20.28.13(80), 1 packet

Reza Sharifi · ‎04-03-2020

<190>56703: *Mar 31 15:59:38.705: %SEC-6-IPACCESSLOGP: list 134 denied tcp 10.20.29.78(54988) (Vlan34 004e.006e.0000) -> 10.20.28.13(80), 1 packet

This access list means a host with IP 10.20.29.78 source port 54988 is trying to access a host with destination IP 10.20.28.13 on port 80 witch is http. If you want to allow this host to access this web site, than you need to add host 10.20.29.78 to your permit list.

HTH