Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

N

Nogstikahn

2 Posts

7370

December 23rd, 2003 12:00

3348 ACL problems

I just tried some of the 3348's ACL-functions and got some strange problems... maybe one of you can help me with that (I restarted the switch after every test (factory defaults))


acltest1: Deny all traffic to IP 192.168.0.1 and permit any other traffic
configure
ip access-list acltest1
deny any 192.168.0.1 255.255.255.255 any
permit any any any
exit
interface vlan 1
service-acl input acltest1
--> Can't apply test1 to vlan 1, due to lack of HW resources


-acltest2: Deny ICMP traffic to IP 192.168.0.1 and permit any other traffic
configure
ip access-list acltest2
deny ICMP any 192.168.0.1 255.255.255.255
permit any any any
exit
interface vlan 1
service-acl input acltest2
--> No error message, but PINGs to any IP stops. The Switch also does not respond to PINGs (is set a IP-Adress on VLAN1 before the test). Other traffic (e.g. Switch Web-Mangement) is forwared


-acltest3: Deny any FTP-traffic and permit any other traffic
configure
ip access-list acltest3
deny-tcp any any any 21
permit any any any
exit
interface vlan 1
service-acl input acltest3
-> works fine


Anyone knows what I should change to make the first two tests (acltest1 and acltest2) work ?

DELL-AndrewH

169 Posts

December 23rd, 2003 12:00

This one looks to be pretty simple.  The wildcard mask is incorrect for both acltest1 and acltest2, and is instead telling the switch to block any traffic entering the switch destined for any IP address - which is why you got the HW resource error for acltest1.  Acltest2 didn't give an error because you weren't trying to block everything, just ICMP traffic. 

Instead of using 255.255.255.255 to specify the host 192.168.0.1, you need to use 0.0.0.0 for the mask.

Here's what the two ACLs should look like:

acltest1:
configure
ip access-list acltest1
deny any 192.168.0.1 0.0.0.0 any
permit any any any
exit
interface vlan 1
service-acl input acltest1

acltest2:
configure
ip access-list acltest2
deny ICMP any 192.168.0.1 0.0.0.0
permit any any any
exit
interface vlan 1
service-acl input acltest2

 

Nogstikahn

2 Posts

December 23rd, 2003 12:00

thx for the fast answer! i'll try that.

btw: the manual refers to a "class-map" command ("Assigning ACL Membership Using the CLI Commands") but I can't find that command on the switch. Is that a mistake in the manual or am I the mistake again   ?

DELL-AndrewH

169 Posts

December 23rd, 2003 13:00

No, that one looks like it's a typo.  I'll contact the group that manages the documentation, and bring it to their attention.

Let me know if those changes work for the test ACLs you're creating.

View More

View All

No Events found!

Top