cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
334
Views
0
Helpful
7
Replies

IE3300 Add access-list failed

Denid0037
Level 1
Level 1

I have recently upgraded my IE3300's from 16.12.1 to 17.9.5 and also installed a new IE3300 running 17.9.5. I am having problems applying ACL's to the ports. Here's the two things I have come across:

For both the old and the new IE3300's, if I have an entry with "range" in it, the switch will log "Add access-list failed". However, if I remove the range and change it to "eq" or "gt" then the ACL applies successfully.

Examples:

permit tcp {SRC_NET} 0.0.0.255 range 19995 19997 {DST_NET} 0.0.0.255    <== add ACL to port fails

permit tcp {SRC_NET} 0.0.0.255 eq 19995 {DST_NET} 0.0.0.255
permit tcp {SRC_NET} 0.0.0.255 eq 19996 {DST_NET} 0.0.0.255    <== add ACL to port succeeds with these 3 rules
permit tcp {SRC_NET} 0.0.0.255 eq 19997 {DST_NET} 0.0.0.255

permit udp {SRC_NET} 0.0.0.63 host {DST_HOST} range 51000 55000    <== add ACL to port fails

permit udp {SRC_NET} 0.0.0.63 host {DST_HOST} gt 51000    <== add ACL to port succeeds

Additionally, for the new IE3300, I have the same problem with "range", but, rules with eg & gt in it will also log "Add access-list failed". However, if I remove one of the eq/gt and change it to either "eq" or "gt" then the ACL applies successfully. This does not happen with the old switches.

Examples:

permit udp {SRC_NET} 0.0.0.255 eq snmp host {DST_HOST} gt 1023
permit udp {SRC_NET} 0.0.0.255 gt 1023 host {DST_HOST} eq tftp    <== with any or all 3 of these rules add ACL to port fails
permit udp {SRC_NET} 0.0.0.255 gt 1023 host {DST_HOST} gt 9999

permit udp {SRC_NET} 0.0.0.255 eq snmp host {DST_HOST}
permit udp {SRC_NET} 0.0.0.255 host {DST_HOST} eq tftp    <== with any or all 3 of these rules add ACL to port succeeds
permit udp {SRC_NET} 0.0.0.255 gt 1023 host {DST_HOST}

I don't understand either of these problems. When the ACL is created the switch does not indicate bad/invalid syntax. All of the switches are on the same version and the only difference I can see between the new and the old is this:

Model Revision Number : V04    <== Old switches
Motherboard Revision Number : 9

Model Revision Number : V05    <== New switch
Motherboard Revision Number : B

I have gone through and added one rule at a time to the ACL's and then added it to the port to see if it fails. I then remove it from the port and repeat for the next rule as I build the entire ruleset. These examples are the only instances when adding results in a failed message.

Any idea what the problem here is? Am I just missing something?

1 Accepted Solution

Accepted Solutions

Hi,

    It's a well-known issue for these models, due to internal architecture / available resources, so "range" fails as well as the other options that did not work. Check this document: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/218248-troubleshoot-access-lists-on-ie3x00.html

Best,

Cristian.

View solution in original post

7 Replies 7

permit udp {SRC_NET} 0.0.0.63 host {DST_HOST} range 51000-55000  

Add ""-"" inbetween 

MHM

Changing the rule to: permit udp {SRC_NET} 0.0.0.63 host {DST_HOST} range 51000-55000  

Results in: % Invalid input detected at '^' marker. The '^' points to the '-'

range 51000 - 55000 

Spaces inbetween

MHM

Changing the rule to: permit udp {SRC_NET} 0.0.0.63 host {DST_HOST} range 51000 - 55000 

Still results in: % Invalid input detected at '^' marker. With the '^' pointing to the '-'

Hi,

    It's a well-known issue for these models, due to internal architecture / available resources, so "range" fails as well as the other options that did not work. Check this document: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/218248-troubleshoot-access-lists-on-ie3x00.html

Best,

Cristian.

Can ypu use help let device guide you how you add range command.

Also reduce the range to be included only 100 port instead of 4000 port' it can the buffer for acl l4 port is not enough for these 4000 ports.

MHM

@Denid0037 

 I was checking the page call "Whats new..."  and for ACL something I saw is the possibility to work with Object Group. But, it is not clear about your specific problem.

https://community.cisco.com/t5/networking-blogs/what-s-new-ios-xe-17-9-routing-release-update/ba-p/4679975

 

Review Cisco Networking for a $25 gift card