03-23-2013 07:08 AM - edited 03-07-2019 12:26 PM
Hello Guys,
I want to control traffic reaching a server farm, in say VLAN 14. For this I applied a ACL to SVI 14 in the outbound direction.
VLAN 14 = 167.107.230.32 /27
I want to allow host 10.8.184.177 to reach host 167.107.230.37 on port 443, for such purpose I wrote the following ACE:
permit tcp host 10.8.184.177 host 167.107.230.37 eq 443
And the ACL looks like this:
Extended IP access list vl14
120 permit tcp host 10.8.184.177 host 167.107.230.37 eq www
130 permit tcp host 10.8.184.177 host 167.107.230.37 eq 443
140 permit tcp host 10.8.184.178 host 167.107.230.37 eq www
150 permit tcp host 10.8.184.178 host 167.107.230.37 eq 443
160 permit tcp host 10.8.184.177 host 167.107.230.38 eq www
170 permit tcp host 10.8.184.177 host 167.107.230.38 eq 443
180 permit tcp host 10.8.184.178 host 167.107.230.38 eq www
190 permit tcp host 10.8.184.178 host 167.107.230.38 eq 443
200 permit icmp any host 167.107.230.37
210 permit icmp any host 167.107.230.38
220 deny ip 10.10.129.0 0.0.0.255 any log
230 deny ip 10.8.184.96 0.0.0.15 any log
240 deny ip 10.8.184.176 0.0.0.15 any log (7045 matches)
250 deny ip 10.8.184.192 0.0.0.63 any log
260 deny ip 167.107.230.0 0.0.0.255 any log
270 deny ip 167.107.66.0 0.0.0.31 any log
280 permit ip 205.174.35.0 0.0.0.255 any
290 permit ip 205.174.39.0 0.0.0.255 any
300 permit ip 205.174.43.0 0.0.0.255 any
310 permit ip 205.174.44.0 0.0.0.255 any
320 permit ip 192.168.0.0 0.0.255.255 any
330 permit ip 167.107.0.0 0.0.255.255 any
340 permit ip 10.0.0.0 0.255.255.255 any
350 permit ip 172.30.0.0 0.0.255.255 any
370 deny ip any any log (232 matches)
------------------------------------------------------------------------------------------------------------
The SVI is confiigured as follows:
interface Vlan14
ip address 167.107.230.60 255.255.255.224
ip access-group vl14 out
no ip redirects
no ip unreachables
no ip proxy-arp
standby 1 ip 167.107.230.62
standby 1 timers msec 250 msec 800
standby 1 priority 110
arp timeout 300
end
------------------------------------------------------------------------------------------------------------
I see the traffic being dropped:
%SEC-6-IPACCESSLOGP: list vl14 denied tcp 10.8.184.177(40322) -> 167.107.230.37(443), 2 packets
---------
Yuo can see there is an ACE allowing ICMP to reach 167.107.230.x ... that works well. However my explicit rule to reach 167.107.230.37 on 443 seems to be skipped.
Any ideas?
Thanks in advance!
03-23-2013 08:47 AM
Hi,
Does the router also skipps the 230.38 eq 443 or just 230.37 eq 443?
Can you try deleting the ACLs, reapply them and test again?
HTH
03-23-2013 08:57 AM
Hi Reza,
Both rules are affected.
After writing the ACEs yesterday and seeing them being skipped for no apparent reason I thought best move I could make was to remove the ACL and re-apply it, unfortunately the server admin that was helping me test had to leave and my change window expired.
Before removing and reapplying the ACL next Monday I wanted to check with the people in this board for any error in how my ACEs were written. It all looks good right?
All suggestions are welcome : ]
Thanks!
03-23-2013 09:26 AM
David
We are not in a position to tell you whether it all looks good or not since there are a number of entries in the ACL before entry 120. Since the ACL is processed in order it is quite possible that some entry before 120 is denying your host traffic. Post the entire ACL and we can tell you whether it all looks good or not.
HTH
Rick
03-23-2013 07:03 PM
Thanks Richard, I made sure to only remove permits.
Sent from Cisco Technical Support iPhone App
03-23-2013 07:54 PM
hi david,
why not put the 'log' key at the end of the said ACE and ask the server admin to do a 'telnet 167.107.230.37 443' from the 10.8.184.17 box to see any hits.
03-24-2013 06:49 AM
Thanks, John.
I will add the "log" keyndword for troubleshooting on Moday when re-moving a re-applying the ACL.
03-24-2013 07:12 AM
Hello
svi acl vlan 14
inbound= from host in vlan 14
outbound= to hosr in vlan 14
res
paul
Sent from Cisco Technical Support Android App
03-24-2013 07:27 AM
Hello Paul,
If you read my first post through, you will notice that traffic comes from other VLAN; therefore applying the ACL in the outbound direction is correct.
"ip access-group vl14 out
VLAN 14 = 167.107.230.32 /27
I want to allow host 10.8.184.177 to reach host 167.107.230.37 on port 443, for such purpose I wrote the following ACE:
permit tcp host 10.8.184.177 host 167.107.230.37 eq 443"
Thanks anyways.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide