Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Router ACL's
- Thread starter pbxnkey
- Start date
A lil more detail...
1. From where to where w/description so we can have some sort of diagram
2. sh run of the router in which you built the acls
3. sh run of others possibly involved
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
1. From where to where w/description so we can have some sort of diagram
2. sh run of the router in which you built the acls
3. sh run of others possibly involved
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
- Thread starter
- #3
Router Config:
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.0.31.250 255.255.255.0
ip address 192.168.31.1 255.255.255.0 secondary
ip access-group 151 in
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 172.16.31.1 255.255.255.0
ip access-group 152 in
access-list 151 permit ip 10.0.31.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 10.0.0.205
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 10.0.0.136
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 10.0.0.240
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 192.168.31.1
access-list 151 permit ip 10.0.31.0 0.0.0.255 host 10.0.31.1
access-list 151 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 151 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
access-list 151 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 151 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 151 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 151 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 151 permit ip any any
access-list 152 permit ip 172.16.31.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 152 permit ip 172.16.31.0 0.0.0.255 host 172.16.31.1
access-list 152 deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
access-list 152 deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
access-list 152 deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
access-list 152 permit ip any any
When I do my tests I have 2 laptops connected to a layer 2 managed switch. Each laptop is in a separate vlan based on the router config.
So one laptop in the 172.16.31.0 subnet and one in the 10.0.31.0 subnet. When I ping between the 2 subnets the 4 pings packets can be Request timed out or Destination Net Unreachable. It varies with the 4 packets. Sometimes it's 4 packets of Dest Net Unreachable.
Here's a sample:
C:\Windows\system32>ping 10.0.31.50
Pinging 10.0.31.50 with 32 bytes of data:
Request timed out.
Reply from 172.16.31.1: Destination net unreachable.
Request timed out.
Reply from 172.16.31.1: Destination net unreachable.
Ping statistics for 10.0.31.50:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Thanks
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.0.31.250 255.255.255.0
ip address 192.168.31.1 255.255.255.0 secondary
ip access-group 151 in
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 172.16.31.1 255.255.255.0
ip access-group 152 in
access-list 151 permit ip 10.0.31.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 10.0.0.205
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 10.0.0.136
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 10.0.0.240
access-list 151 permit ip 192.168.31.0 0.0.0.255 host 192.168.31.1
access-list 151 permit ip 10.0.31.0 0.0.0.255 host 10.0.31.1
access-list 151 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 151 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
access-list 151 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 151 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 151 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 151 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 151 permit ip any any
access-list 152 permit ip 172.16.31.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 152 permit ip 172.16.31.0 0.0.0.255 host 172.16.31.1
access-list 152 deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
access-list 152 deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
access-list 152 deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
access-list 152 permit ip any any
When I do my tests I have 2 laptops connected to a layer 2 managed switch. Each laptop is in a separate vlan based on the router config.
So one laptop in the 172.16.31.0 subnet and one in the 10.0.31.0 subnet. When I ping between the 2 subnets the 4 pings packets can be Request timed out or Destination Net Unreachable. It varies with the 4 packets. Sometimes it's 4 packets of Dest Net Unreachable.
Here's a sample:
C:\Windows\system32>ping 10.0.31.50
Pinging 10.0.31.50 with 32 bytes of data:
Request timed out.
Reply from 172.16.31.1: Destination net unreachable.
Request timed out.
Reply from 172.16.31.1: Destination net unreachable.
Ping statistics for 10.0.31.50:
Packets: Sent = 4, Received = 2, Lost = 2 (50% loss),
Thanks
access-list 152 deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
is blocking that particular ping. If you want the subnets to access eachother...
access-list 151 (ACE number to edit a single line) permit ip 10.0.31.0 0.0.0.255 172.16.31.0 0.0.0.255
and a line for acl 152...permit ip 172.16.31.0 0.0.0.255 10.0.31.0 0.0.0.255
post a sh access-l and I will show you exactly how to edit/add/delete single ACEs from a given ACL
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
is blocking that particular ping. If you want the subnets to access eachother...
access-list 151 (ACE number to edit a single line) permit ip 10.0.31.0 0.0.0.255 172.16.31.0 0.0.0.255
and a line for acl 152...permit ip 172.16.31.0 0.0.0.255 10.0.31.0 0.0.0.255
post a sh access-l and I will show you exactly how to edit/add/delete single ACEs from a given ACL
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
- Thread starter
- #5
Not sure without more info...could be that because of some static or something, it could be trying to go out to your secondary IP on vlan1...why the secondary IP anyway, and not another subint? Just curious...
Is it consistent, like every other message is either dest net unreachable and timed out?
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
Is it consistent, like every other message is either dest net unreachable and timed out?
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
I mean to see if ICMP is behaving correctly and you don't have some weird little routing problem, you could open those up for successful pings all the way through and see if you get 50% or 100% then. That experiment will tell you definitively
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
- Thread starter
- #8
- Thread starter
- #9
I would!
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
- Thread starter
- #12
Current configuration : 8590 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
enable secret 5
enable password 7
!
username admin password 7
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
aaa session-id common
clock timezone EST -5
clock summer-time EST recurring
system mtu routing 1500
!
!
no ip domain-lookup
ip domain-name
!
no setup express
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0/1
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/3
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/5
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/6
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/7
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/8
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/9
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/10
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/11
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/12
description ***** Connection to Local_Site_Network *****
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/13
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb03.7eb2 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/14
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb00.65c7 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/15
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb06.4ecf vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/16
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/17
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb06.505d vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/18
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb06.7281 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/19
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb00.c4ea vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/20
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0800.5300.b201 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/21
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0800.5320.467f vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/22
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0800.5300.012e vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/23
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0800.5300.012f vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/24
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky d4be.d99f.53a0 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/1
description ***** Connection to POS_Network *****
switchport access vlan 2
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0090.fb06.4fc6 vlan access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
description ***** Connection to Router *****
switchport trunk allowed vlan 1,2
switchport mode trunk
spanning-tree portfast trunk
!
interface Vlan1
ip address 10.0.6.235 255.255.255.0
!
interface Vlan2
no ip address
!
ip default-gateway 10.0.6.1
ip http server
ip http secure-server
access-list 11 permit 10.0.0.0 0.0.0.255
access-list 11 permit 10.0.6.0 0.0.0.255
no cdp run
no cdp tlv location
no cdp tlv app
!
line con 0
logging synchronous
line vty 0 4
session-timeout 30
access-class 11 in
logging synchronous
transport input telnet ssh
line vty 5 15
session-timeout 30
access-class 11 in
logging synchronous
transport input telnet ssh
!
end
Hi,
Okay, you have port security enabled on some interfaces, lets eliminate that first.
Could you move the endpoint devices to ports that have no port security on them and see what happens.
Also, could you post a running config of the router, let have look at the routing table.
-Viconsul
Okay, you have port security enabled on some interfaces, lets eliminate that first.
Could you move the endpoint devices to ports that have no port security on them and see what happens.
Also, could you post a running config of the router, let have look at the routing table.
-Viconsul
- Status