cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

420
Views
0
Helpful
5
Replies
Highlighted
Beginner

Issue with ACL configs on Switch

Hi there,

 

Wondering if any of you folks can help me. I was recently working in the virtual space with Vyatta routers and wanted to move to a hardware solution using a 3550/3650 switch. I have an isue where I cannot connect to any of the networks setup on my switch. Pings to certain networks return

 

From 192.168.101.254 icmp_seq=36 Packet filtered

From 192.168.101.254 icmp_seq=38 Packet filtered

From 192.168.101.254 icmp_seq=43 Packet filtered

From 192.168.101.254 icmp_seq=48 Packet filtered

From 192.168.101.254 icmp_seq=53 Packet filtered

 

Pings to the 20.20.20.x network return network unreachable and the same for the 30.30.30.x

I cannnot access any of the services on 20.20.20.x or 30.30.30.x

 

Any help is appreciated

 

The following is my current config

hostname switch
!
!
ip subnet-zero
ip routing
!
spanning-tree extend system-id
!
!
interface FastEthernet0/1
 switchport access vlan 101
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/2
 switchport access vlan 102
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/3
 switchport access vlan 103
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/4
 switchport access vlan 104
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/5
 switchport access vlan 105
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/6
 switchport access vlan 106
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/7
 switchport access vlan 107
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/8
 switchport access vlan 108
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/9
 switchport access vlan 109
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/10
 switchport access vlan 110
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/11
 switchport access vlan 111
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/12
 switchport access vlan 112
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/13
 switchport access vlan 113
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/14
 switchport access vlan 114
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/15
 switchport access vlan 115
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/16
 switchport access vlan 116
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/17
 switchport access vlan 117
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/18
 switchport access vlan 118
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/19
 no ip address
!
interface FastEthernet0/20
 no ip address
!
interface FastEthernet0/21
 switchport access vlan 200
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/22
 switchport access vlan 200
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/23
 switchport access vlan 200
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/24
 switchport access vlan 200
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/25
 no ip address
!
interface FastEthernet0/26
 no ip address
 exit
!
interface FastEthernet0/27
 switchport access vlan 300
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/28
 switchport access vlan 300
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/29
 switchport access vlan 300
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/30
 switchport access vlan 300
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/31
 no ip address
!
interface FastEthernet0/32
 no ip address
!
interface FastEthernet0/33
 switchport access vlan 400
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/34
 switchport access vlan 400
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/35
 switchport access vlan 400
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/36
 switchport access vlan 400
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/37
 no ip address
!
interface FastEthernet0/38
 no ip address
!
interface FastEthernet0/39
 switchport access vlan 500
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/40
 switchport access vlan 500
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/41
 switchport access vlan 500
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/42
 switchport access vlan 500
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/43
 switchport access vlan 500
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/44
 switchport access vlan 500
 switchport mode access
 no ip address
 exit
!
interface FastEthernet0/45
 no ip address
!
interface FastEthernet0/46
 no ip address
!
interface FastEthernet0/47
 no ip address
!
interface FastEthernet0/48
 no ip address
!
interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/2
 no ip address
!
interface Vlan1
 no ip address
 shutdown
!
interface range FastEthernet0/1 - 20
 no shut
 exit
!
interface range FastEthernet0/21 - 24
 no shut
 exit
!
interface range FastEthernet0/25 - 48
 no shut
 exit
!
interface Vlan101
 ip address 192.168.101.254 255.255.255.0
 ip access-group p1 in
 exit
!
interface Vlan102
 ip address 192.168.102.254 255.255.255.0
 ip access-group p2 in
!
interface Vlan103
 ip address 192.168.103.254 255.255.255.0
 ip access-group p3 in
 exit
!
interface Vlan104
 ip address 192.168.104.254 255.255.255.0
 ip access-group p4 in
!
interface Vlan105
 ip address 192.168.105.254 255.255.255.0
 ip access-group p5 in
 exit
!
interface Vlan106
 ip address 192.168.106.254 255.255.255.0
 ip access-group p6 in
!
interface Vlan107
 ip address 192.168.107.254 255.255.255.0
 ip access-group p7 in
 exit
!
interface Vlan108
 ip address 192.168.108.254 255.255.255.0
 ip access-group p8 in
!
interface Vlan109
 ip address 192.168.109.254 255.255.255.0
 ip access-group p9 in
 exit
!
interface Vlan110
 ip address 192.168.110.254 255.255.255.0
 ip access-group p10 in
 exit
!
interface Vlan111
 ip address 192.168.111.254 255.255.255.0
 ip access-group p11 in
 exit
!
interface Vlan112
 ip address 192.168.112.254 255.255.255.0
 ip access-group p12 in
 exit
!
interface Vlan113
 ip address 192.168.113.254 255.255.255.0
 ip access-group p13 in
 exit
!
interface Vlan114
 ip address 192.168.114.254 255.255.255.0
 ip access-group p14 in
 exit
!
interface Vlan115
 ip address 192.168.115.254 255.255.255.0
 ip access-group p15 in
 exit
!
interface Vlan116
 ip address 192.168.116.254 255.255.255.0
 ip access-group p16 in
 exit
!
interface Vlan117
 ip address 192.168.117.254 255.255.255.0
 ip access-group p17 in
 exit
!
interface Vlan118
 ip address 192.168.118.254 255.255.255.0
 ip access-group p8 in
 exit
!
interface Vlan200
 ip address 20.20.20.254 255.255.255.0
 exit
!
interface Vlan300
 ip address 30.30.30.254 255.255.255.0
 exit
!
interface Vlan400
 ip address 40.40.40.254 255.255.255.0
 exit
!
interface Vlan500
 ip address 11.11.11.254 255.255.255.0
 exit
!
ip classless
ip http server
!
ip access-list extended p1
 permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq 443
 permit tcp 192.168.101.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.101.0 0.0.0.255
 permit ip 192.168.101.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p2
 permit tcp 20.20.20.0 0.0.0.255 192.168.102.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.102.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.102.0 0.0.0.255 eq 443
 permit tcp 192.168.102.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.102.0 0.0.0.255
 permit ip 192.168.102.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p3
 permit tcp 20.20.20.0 0.0.0.255 192.168.103.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.103.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.103.0 0.0.0.255 eq 443
 permit tcp 192.168.103.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.103.0 0.0.0.255
 permit ip 192.168.103.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p4
 permit tcp 20.20.20.0 0.0.0.255 192.168.104.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.104.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.104.0 0.0.0.255 eq 443
 permit tcp 192.168.104.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.104.0 0.0.0.255
 permit ip 192.168.104.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
 ip access-list extended p5
 permit tcp 20.20.20.0 0.0.0.255 192.168.105.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.105.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.105.0 0.0.0.255 eq 443
 permit tcp 192.168.105.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.105.0 0.0.0.255
 permit ip 192.168.105.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p6
 permit tcp 20.20.20.0 0.0.0.255 192.168.106.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.106.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.106.0 0.0.0.255 eq 443
 permit tcp 192.168.106.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.106.0 0.0.0.255
 permit ip 192.168.106.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p7
 permit tcp 20.20.20.0 0.0.0.255 192.168.107.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.107.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.107.0 0.0.0.255 eq 443
 permit tcp 192.168.107.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.107.0 0.0.0.255
 permit ip 192.168.107.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p8
 permit tcp 20.20.20.0 0.0.0.255 192.168.108.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.108.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.108.0 0.0.0.255 eq 443
 permit tcp 192.168.108.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.108.0 0.0.0.255
 permit ip 192.168.108.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p9
 permit tcp 20.20.20.0 0.0.0.255 192.168.109.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.109.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.109.0 0.0.0.255 eq 443
 permit tcp 192.168.109.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.109.0 0.0.0.255
 permit ip 192.168.109.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p10
 permit tcp 20.20.20.0 0.0.0.255 192.168.110.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.110.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.110.0 0.0.0.255 eq 443
 permit tcp 192.168.110.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.110.0 0.0.0.255
 permit ip 192.168.110.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p11
 permit tcp 20.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.111.0 0.0.0.255 eq 443
 permit tcp 192.168.111.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.111.0 0.0.0.255
 permit ip 192.168.111.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p12
 permit tcp 20.20.20.0 0.0.0.255 192.168.112.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.112.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.112.0 0.0.0.255 eq 443
 permit tcp 192.168.112.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.112.0 0.0.0.255
 permit ip 192.168.112.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
 ip access-list extended p13
 permit tcp 20.20.20.0 0.0.0.255 192.168.113.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.113.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.113.0 0.0.0.255 eq 443
 permit tcp 192.168.113.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.113.0 0.0.0.255
 permit ip 192.168.113.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p14
 permit tcp 20.20.20.0 0.0.0.255 192.168.114.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.114.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.114.0 0.0.0.255 eq 443
 permit tcp 192.168.114.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.114.0 0.0.0.255
 permit ip 192.168.114.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p15
 permit tcp 20.20.20.0 0.0.0.255 192.168.115.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.115.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.115.0 0.0.0.255 eq 443
 permit tcp 192.168.115.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.115.0 0.0.0.255
 permit ip 192.168.115.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p16
 permit tcp 20.20.20.0 0.0.0.255 192.168.116.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.116.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.116.0 0.0.0.255 eq 443
 permit tcp 192.168.116.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.116.0 0.0.0.255
 permit ip 192.168.116.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p17
 permit tcp 20.20.20.0 0.0.0.255 192.168.117.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.117.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.117.0 0.0.0.255 eq 443
 permit tcp 192.168.117.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.117.0 0.0.0.255
 permit ip 192.168.117.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
ip access-list extended p18
 permit tcp 20.20.20.0 0.0.0.255 192.168.118.0 0.0.0.255 eq www
 permit tcp 20.20.20.0 0.0.0.255 192.168.118.0 0.0.0.255 eq 8080 established
 permit tcp 20.20.20.0 0.0.0.255 192.168.118.0 0.0.0.255 eq 443
 permit tcp 192.168.118.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
 permit ip 30.30.30.0 0.0.0.255 192.168.118.0 0.0.0.255
 permit ip 192.168.118.0 0.0.0.255 30.30.30.0 0.0.0.255
 deny   ip any any
 exit
!
!
access-list 120 permit tcp 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255 eq 8181 established
access-list 130 permit tcp 30.30.30.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8181
access-list 140 permit tcp any any eq 8080
access-list 140 permit tcp any any eq www
no cdp advertise-v2
!
!
line con 0
line vty 5 15
!
!
monitor session 1 source vlan 1 - 500 rx
monitor session 1 destination interface Fa0/47
monitor session 2 source vlan 1 - 500 rx
monitor session 2 destination interface Fa0/48
end
Everyone's tags (1)
5 REPLIES 5

Re: Issue with ACL configs on Switch

Hi,

Your Ping to 192.168.100.254 failed because it is filtered by ACL. Either you need to ping from addresses allowed in the ACL (address space 30.30.30.0/24), or modify the ACL as follows:

ip access-list extended p1
permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq www
permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq 8080 established
permit tcp 20.20.20.0 0.0.0.255 192.168.101.0 0.0.0.255 eq 443
permit tcp 192.168.101.0 0.0.0.255 20.20.20.0 0.0.0.255 eq 8080
permit ip 30.30.30.0 0.0.0.255 192.168.101.0 0.0.0.255
permit ip 192.168.101.0 0.0.0.255 30.30.30.0 0.0.0.255
permit icmp any any
deny ip any any
exit

 

You need to modify the other ACLs as well if you want to run PING.


For 20.20.20.x and 30.30.30.x, could you check if you have routes in the routing table?

HTH,
Meheretab

Beginner

Re: Issue with ACL configs on Switch

Thanks for reply. However I'm not sure this is what I want. I might have phrased my question wrong.

Re: Issue with ACL configs on Switch

Hi Spockles,

 

Your ACL configuration is incorrect.

Can you please tell me the exact source and destination to which you want to allow traffic?

After that we can modify the ACL then you can test.

 

Please also make sure the gateway configured on the servers is correct.

SD-WAN Specialist
Spooster IT Services
Beginner

Re: Issue with ACL configs on Switch

Hi,
Thanks for the reply. So there was an issue with gateways on the servers. I think my initial question did not tell the whole story of what I require.
So the 192.168.101-120.0 Vlans need http access to 20.20.20.0 network. They should have full access to the 30.30.30.0 network. Traffic from 30.30.30.0 to 20.20.20.0 should only be over the port specified in acl 120 and 130. Ping from 30.30.30.0 to 20.20.20.0 should not be allowed. Traffic from 30.30.30.0 and 20.20.20.0 should only be allowed over port 514. This I have not added in yet.

Thanks for help
VIP Mentor

Re: Issue with ACL configs on Switch

Hello

I haven't checked each individual acl but It seems at first glance of this config your acl's are assigned in the wrong direction.

 

SVI RACLS have a logic of:

IN = From within the vlan to Outside
OUT= from Outside into vlan

Lastly ACLs 120/130/140 are not assigned to anything if this is the case Id removed them for clarity

res
Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
CreatePlease to create content
Content for Community-Ad