Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1124
Views
3
Helpful
5
Replies

Understanding a simple ACL question

Go to solution
hello0815
Level 1
Level 1

‎03-09-2023 07:41 AM

Hello guys,

I have a (most likely) very simple question about ACL's but I still manage to not figure out how stuff works.

My setup looks the following:

Cisco 3850, ip routing enabled

-Vlan 2 (Network 192.168.2.0/24, IP of the Router is 192.168.2.1)
-a PC with the IP 192.168.2.20
-a PC with the IP 192.168.2.222

-Vlan 3 (Network 192.168.3.0/24, IP of the Router is 192.168.3.1)
-a PC with the IP 192.168.3.20

-Vlan 4 (Network 192.168.4.0/24, IP of the Router is 192.168.4.1)
-a PC with the IP 192.168.4.20

To this point everything works fine, I can ping from everywhere to everywhere.


Now what I wanna achieve:

-PC 192.168.2.222 inside Vlan 2 should be allowed to send packets everywhere (=into the other VLANs) while using Port 9
-any other hosts inside Vlan 2 are not allowed to send packets anywhere with the Port 9
-everything else is fine for now and is allowed

My access-list looks the following:

!
ip access-list extended wol-acl
deny udp any any eq 9
permit udp host 192.168.2.222 any eq 9
!

This access-list is placed on interface Vlan 2:

!
interface Vlan2
mac-address blablabla
ip address 192.168.2.1 255.255.255.0
ip access-group wol-acl in
!

As soon as i place this ACL on interface Vlan2 nothing with Vlan2 works anymore:
I can't ping (and use any other ports etc.) from Vlan 3 to Vlan 2,
I can't ping (and use any other ports etc.) from Vlan 4 to Vlan 2,
I can't ping (and use any other ports etc.) from Vlan 2 to Vlan 3,
I can't ping (and use any other ports etc.) from Vlan 2 to Vlan 4.

Interactions between Vlan 3 and Vlan 4 are working fine.

What am I doing wrong? I only want to block any address except 192.168.2.222 to reach
the other Vlans while using Port 9. Everything else should be allowed (for now).

(I'm also aware that this WOL stuff is also requiring the ip-helper-addresses and other things like broadcast-redirect, but it's already failing
while setting up the ACL rule and breaking the whole network. You can replace Port 9 with every other Port.)

Any help is highly appreciated
Greetings from Germany

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎03-09-2023 10:27 AM

Hello
Try the following ACL

no ip access-list extended wol-acl
ip access-list extended wol-acl
permit udp host 192.168.2.222 any eq 9
deny udp any any eq 9
permit ip any any

int vlan 2
ip access-group wol-acl IN


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎03-09-2023 07:48 AM

The main issue is that in an acl by default the final statement is deny any any (anything that is not permitted is denied). Looking at your acl there is a single permit. So that is the only traffic that will work.

I note that the order of these statements is not correct

deny udp any any eq 9
permit udp host 192.168.2.222 any eq 9

You need to permit the host before you deny all other traffic for port 9.

I would suggest that a good solution would be to add a new statement with permit ip any any

HTH

Rick

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-09-2023 09:09 AM

Agreed to add  like below should fix the issue :

ip access-list extended wol-acl

deny udp any any eq discard

permit udp host 192.168.2.222 any eq discard
permit ip any any

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
paul driver
VIP
VIP

‎03-09-2023 10:27 AM

Hello
Try the following ACL

no ip access-list extended wol-acl
ip access-list extended wol-acl
permit udp host 192.168.2.222 any eq 9
deny udp any any eq 9
permit ip any any

int vlan 2
ip access-group wol-acl IN


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
hello0815
Level 1
Level 1

‎03-10-2023 12:46 AM

Hello guys,

first of all, thank you for your real quick help! That's awesome.

Thanks to @Richard Burts for explaining how the ACL acts and how it creates this "deny any any".

@balaji.bandi I tried your solution, but this didn't work for me. Probably because the "deny udp any any eq discard" is above the permit rule, like in my initial comment?

@paul driver This solution worked out for me. Works like a charm. 

Thank you guys for helping me out and making me understand how things are working.

Greetings from Germany

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to hello0815

‎03-10-2023 04:05 AM - edited ‎03-10-2023 04:05 AM

Glad you able to resolved the issue  sure we would have flipped the ACL permitt first and deny next - since deny was first time so it was denied... (i looked at my noted i changed your config, but pasted wrong one)

@paul driver  - good catch.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents