Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Catalyst 3560 ACL's 1

Status
Not open for further replies.
jwil320

jwil320

IS-IT--Management
Aug 19, 2005
16
0
0
US
I have just purchased a new 3560 for my company. This is brand new out of the box. I have written up some access-lists and I was just wondering if they would work correctly when put into production. Here is what I have so far. I basically want to know if I have the traffic allowed in one VLAN do I have to specify the same traffic in the other VLAN?

VLAN1=PC's Acl=101
VLAN3=Printers Acl=103
VLAN5=network monitors Acl=105
VLAN7=DNS and Mail servers Acl=107
VLan10= test domain Acl=110
VLAN11= Servers Acl=111

access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.99.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.17.99.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 101 permit ip host 192.168.1.7 host 192.168.11.66
access-list 101 permit ip 192.168.1.8 0.0.0.7 host 192.168.11.66
access-list 101 permit ip 192.168.1.16 0.0.0.1 host 192.168.11.66
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 192.168.11.145
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
int vlan1
ip access-group 101 in
exit
access-list 103 permit ip 192.168.3.0 0.0.0.255 172.17.99.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.7.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit host ip 192.168.3.65 192.168.11.0 0.0.0.255
access-list 103 deny ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 103 permit ip 192.168.3.0 0.0.0.255 any
int vlan3
ip access-group 103 in
exit
access-list 105 permit ip 192.168.5.0 0.0.0.255 172.17.99.0 0.0.0.255
access-list 105 permit ip 192.168.5.0 0.0.0.255 host 192.168.3.65
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 105 deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 105 permit ip 192.168.5.0 0.0.0.255 any
int vlan5
ip access-group 105 in
exit
access-list 107 permit ip 192.168.7.0 0.0.0.255 172.17.99.0 0.0.0.255
access-list 107 permit ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.7.255
access-list 107 permit ip 192.168.7.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 107 permit ip 192.168.7.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 107 deny ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 107 permit ip 192.168.7.0 0.0.0.255 any
int vlan7
ip access-group 107 in
exit
access-list 109 permit ip 192.168.9.0 0.0.0.255 172.17.99.0 0.0.0.255
access-list 109 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.7.255
access-list 109 permit ip 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 109 permit ip 192.168.9.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 109 deny ip 192.168.9.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 109 permit ip 192.168.9.0 0.0.0.255 any
int vlan9
ip access-group 109 in
exit
access-list 110 permit ip 192.168.10.0 0.0.0.255 172.17.99.0 0.0.0.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 host 192.168.7.1
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
int vlan10
ip access-group 110 in
exit
access-list 111 permit ip 192.168.11.0 0.0.0.255 172.17.99.0 0.0.0.255
access-list 111 permit ip host 192.168.11.66 host 192.168.1.7
access-list 111 permit ip host 192.168.11.66 192.168.1.8 0.0.0.7
access-list 111 permit ip host 192.168.11.66 192.168.1.16 0.0.0.1
access-list 111 permit ip host 192.168.11.145 192.168.1.0 0.0.7.255
access-list 111 permit ip 192.168.11.0 0.0.0.255 host 192.168.3.65
access-list 111 permit ip 192.168.11.0 0.0.0.255 host 192.168.7.1
access-list 111 permit ip 192.168.11.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 111 permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 111 deny ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 111 permit ip 192.168.11.0 0.0.0.255 any
int vlan11
ip access-group 111 in
exit
 
Sort by date Sort by votes
I think your logic is backwards in at least some of your statements. If you have, for example, "ip access-group 101 IN" applied to interface vlan1, then packets coming INto the VLAN1 will be checked against access list 101, yet you are only "permitting" packets with a source address WITHIN vlan1. Since none of the traffic will match any of your entries in the access list (because none of the packets coming into vlan1 will have a 192.168.1.0 address), ALL traffic coming into that VLAN will be filtered because of the implicit deny. I think to accomplish what you are trying (if I'm assuming correctly), then you want to change your access-group statements to "out".

Anyway, I'm not totally clear on what you're trying to do because you've left out some information (such as, what is VLAN9 / ACL9?).
 
Upvote 0 Downvote
Sorry about that VLAN 9 is our voice database. And pretty much everything needs to be able to talk to this vlan. Basically I don't wan't any other traffic allowed other than the traffic specified above. You your saying in order for this to happen the acl's should be applied outbound instead of inbound?
 
Upvote 0 Downvote
If I look at what you appear to be trying to accomplish, based on your source address - yes, that's what I'm saying. Let me try to explain:

You have VLAN1, which is the 192.168.1.0 network, with ACL 101 applied.

Your ACL is PERMITTING traffic with a *SOURCE* address of 192.168.1.0 0.0.0.255 INBOUND. Traffic INBOUND to VLAN1 will NEVER have a source address of 192.168.1.0 because these addresses are INTERNAL to VLAN1 already, and therefore will never cross the vlan interface inbound.
 
Upvote 0 Downvote
I created a test VLAN100 and used the existing VLAN1 and created 2 different access-lists.

1st ACL I created was
access-list 101 permit ip host 192.168.100.2 host 192.168.1.233
access-list 101 permit ip host 192.168.100.3 host 192.168.1.234
access-list 101 deny ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.15.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 any

int vlan100
ip access-group 100 out

access-list 102 permit ip host 192.168.1.233 host 192.168.100.2
access-list 102 permit ip host 192.168.1.234 host 192.168.100.3
access-list 102 deny ip 192.168.0.0 0.0.15.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.15.255 any

int vlan1
ip access-group 102 out

after I did this I tried to ping the correct host and got a destination unreachable message back.

When I changed it from outbound to inbound I was able to ping the correct host and got denied by the correct host. Did I create the outbound access-list wrong?
 
Upvote 0 Downvote
If you created access list 101 and applied access list 100 to the interface, you would have had unexpected results.
 
Upvote 0 Downvote
That was a typo.

ip access-group 101 out
 
Upvote 0 Downvote
Ok, so what host did you ping from, and what host did you ping to with this access list applied?
 
Upvote 0 Downvote
I pinged from 100.2 to 1.233 and got destination unreachable
I pinged from 1.233 to 100.2 and got the same thing
Then I tried pinging from 1.234 to 100.3 and got destination unreachable.
then again from 100.3 to 1.234 and got the same thing.

When I applied the ACL inbound the above pings worked.
Then I tried pinging 1.234 from 100.2 and got destination unreachable which I am supposed to get because it wasn't allowed.
Then I tried pinging 100.3 from 1.233 and got destination unreachable which is ok also.
 
Upvote 0 Downvote
I must be missing something. You may want to ask this question over in the router forum. Maybe someone there with more ACL expertise will give you clarification, or even a different answer.
 
Upvote 0 Downvote
Ok, this was really driving me nuts, so I spoke with another network engineer and he has corrected me. You were right to begin with, with your "IN" statement according to him. It still doesn't make sense to me, but there you have it from at least one source that "IN" traffic is what you want to filter. Your test would seem to confirm that, so I'll believe it, but it still doesn't make sense to me...
 
Upvote 0 Downvote
lol. Thanks for your time and effort on this.
 
Upvote 0 Downvote
Certainly. Sorry I wasn't able to point you in the right direction. I certainly didn't deserve a star for that performance. :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
52
bfordz
bfordz
Drug_Store
  • Locked
  • Question
Cisco 3560g 48ports PoE - config
Replies
1
Views
50
Drug_Store
Drug_Store
paramjotsingh
  • Locked
  • Question
Configure LAG from Netgear GS752TPS to Cisco 3560 Catalyst
Replies
5
Views
79
iggsterman
iggsterman
jmkelly
  • Locked
  • Question
Dynamic routing protocols for catalyst 3850 switches
Replies
4
Views
114
ADB100
ADB100
Castanz
  • Locked
  • Question
Can only access 1 port. Catalyst 2960-S
Replies
1
Views
37
allworxguy
allworxguy

Part and Inventory Search

Sponsor

Back
Top