cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
772
Views
3
Helpful
8
Replies

L3 switch ACL issue

peat
Level 1
Level 1

Can anyone advise me as to where I have gone wrong with this config please.  I normally do ACLs on ASAs using asdm but for this I have to do the ACLs on the layer3 switch using cli.

I am wanting to allow port 80 and ping between the Pc and Server and nothing else.  But when i use telnet on the PC using port 443 it is still open.

packett.png

interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
ip access-group vlan20_10 in
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
ip access-group vlan10_20 in
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.99.1 255.255.255.0
!
interface Vlan10
mac-address 0002.4a2d.ab01
ip address 192.168.10.254 255.255.255.0
!
interface Vlan20
mac-address 0002.4a2d.ab02
ip address 172.16.200.254 255.255.255.0
!
ip default-gateway 192.168.99.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.99.254
!
ip flow-export version 9
!
!
ip access-list extended vlan10_20
permit tcp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any
ip access-list extended vlan20_10
permit tcp 172.16.200.0 0.0.0.255 192.168.10.0 0.0.0.255 eq www
permit icmp 172.16.200.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip any any
!
!

1 Accepted Solution

Accepted Solutions

@peat 

Enter this ACL

ip access-list extended vlan20_10
permit tcp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any

Apply this on SVI 10

M02rt37_0-1707144452951.png

That should be ok now:

M02rt37_2-1707144474894.png

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

8 Replies 8

M02@rt37
VIP
VIP

Hello @peat 

You only need ACL on Gi0/0/1 first.

interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
ip access-group vlan20_10 in
!
ip access-list extended vlan20_10
permit tcp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

thanks just tried that but 443 still open.

Screenshot 2024-02-05 113646.png

!
!
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
ip access-group vlan20_10 in
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!

!
interface GigabitEthernet1/0/24
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.99.1 255.255.255.0
!
interface Vlan10
mac-address 0002.4a2d.ab01
ip address 192.168.10.254 255.255.255.0
!
interface Vlan20
mac-address 0002.4a2d.ab02
ip address 172.16.200.254 255.255.255.0
!
ip default-gateway 192.168.99.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.99.254
!
ip flow-export version 9
!
!
ip access-list extended vlan20_10
permit tcp 192.168.0.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.0.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any
!
!
!
!

 

Sorry @peat 

Apply  ACL on SVI 10, not under interface Gi0/0/1

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Sorry to be a pain but that has blocked all traffic from 192.168.10.1 now.

!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!

!
interface GigabitEthernet1/0/24
switchport mode trunk
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface Vlan1
ip address 192.168.99.1 255.255.255.0
!
interface Vlan10
mac-address 0002.4a2d.ab01
ip address 192.168.10.254 255.255.255.0
ip access-group vlan20_10 in
!
interface Vlan20
mac-address 0002.4a2d.ab02
ip address 172.16.200.254 255.255.255.0
!
ip default-gateway 192.168.99.254
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.99.254
!
ip flow-export version 9
!
!
ip access-list extended vlan20_10
permit tcp 192.168.0.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.0.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any
!
!
!
!

 

@peat 

Enter this ACL

ip access-list extended vlan20_10
permit tcp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any

Apply this on SVI 10

M02rt37_0-1707144452951.png

That should be ok now:

M02rt37_2-1707144474894.png

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

arghghgh typo! silly me.

Thanks very much thats sorted it.

You're very welcome @peat 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

BTW, although what M02@rt37 appears to be correct, its correctness depends on how thoroughly you want to limit traffic to/from those subnets and what specific traffic you want to limit.

For example, your OP notes "I am wanting to allow port 80 and ping between the Pc and Server and nothing else."

The ACE for ICMP allows any two way ICMP, not just ping.

If you want to limit ICMP to ping, you can restrict only allowing ping ICMPs.

Also, with ping, do you want to allow both networks to ping each other, or only one side initiate the ping and the other side respond?

Since you're only using an ingress ACL on the SVI, you're allowing any kind of traffic to enter this VLAN.  As most traffic looks for two way communication, blocking just one direction will curtail two way communications, but the outside could send anything it wants to that VLAN.  Is that okay?  If not, you could also apply an egress ACL on the SVI.

Further BTW, if there's only the one subnet on VLAN 10, your ingress ACEs could use "any" for source.

As every ACL ends with an implicit deny everything, the last ACE isn't actually needed.

e.g.

rather than:

ip access-list extended vlan20_10 !BTW, believe from your OP this should be using ip access-list extended vlan10_20
permit tcp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255 eq www
permit icmp 192.168.10.0 0.0.0.255 172.16.200.0 0.0.0.255
deny ip any any

possibly:

ip access-list extended vlan10_20 !for VL10 SVI ingress
permit tcp any 172.16.200.0 0.0.0.255 eq www
permit icmp any 172.16.200.0 0.0.0.255 echo
permit icmp any 172.16.200.0 0.0.0.255 echo-reply

ip access-list extended vlan20_10 !for VL10 SVI egress
permit tcp 172.16.200.0 0.0.0.255 eq www any established
permit icmp 172.16.200.0 0.0.0.255 any echo
permit icmp 172.16.200.0 0.0.0.255 any echo-reply

Review Cisco Networking for a $25 gift card