3324 ACL Issues

Question

Hello everyone, I am trying to get a PC 3324 put into production (well actually it is already there) and I am trying to tighten some security with the unit using the IP based ACLs; however, I seem to be not correctly handling the configuration.   I will post what I am trying to accomplish in english then the commands used to accomplish this along with other actions, this will only be for 1 port (server) as I'm sure its the same mistake on all, or something very similar.   Allow any from server1 Allow any from server2 Deny anything else   permit any [server1 ip] 0.0.0.0 [dest ip] 0.0.0.0 permit any [server2 ip] 0.0.0.0 [dest ip] 0.0.0.0 deny any any [dest ip] 0.0.0.0   then I go into the web admin apply it to the correct switch port, and verify that it was applied, and all looks good.   Now I get on my laptop (ip != server1 or server2) and I can establish a telnet session to the dest. ip.   Any ideas?

DELL-Randy · Answer

Where are you applying the ACL? The rules will only be applicabe to ingress traffic. If this ACL is bound to the interface that the laptop is connected to (physical or virtual), then your configuration should perform as expected.

lucasnodine · Answer

I apply the ACL to the port where the [dest ip] server is attached. (Laptop and server are both attached to the 3324)

Message Edited by lucasnodine on 01-04-2005 10:30 AM

Message Edited by lucasnodine on 01-04-2005 10:31 AM

lucasnodine · Answer

After further reviewing this issue, I noticed that if I create a rule series such as

deny any [source ip] 0.0.0.0 [dest. ip] 0.0.0.0

permit any any any

then put that on an ethernet port, it will not work; however, if I bind it to the VLAN (contains all ports) then it will work. Perhaps it has something to do with being bound to a physical port on the switch?

DELL-Randy · Answer

It would be expected you are able to communicate with your laptop, if the initial ACL is applied to the server interface. Explanation :: The ACL is only applied to traffic as it enters the interface the ACL is bound to.  For instance, provided your rules and the interface the ACL is bound to -- Your initial rule - permit any [server1 ip] 0.0.0.0 [dest ip] 0.0.0.0 - allows server1 to communicate with the specified address (dest ip).    The second rule - permit any [server2 ip] 0.0.0.0 [dest ip] 0.0.0.0 - allows server2 to communicate with the specified address (dest ip).   The third rule - denies all other communication.   With this in mind, if the ACL is bound to the physical interface the server is attached to, then the ACL will not be applicable to the laptop interface.  If you were to apply this ACL to the VLAN, then only server1 and server2 would be able to communicate with the specified destination IP addresses, and no other communication would be permitted.   Considering your second ACL -- The initial rule - deny any [source ip] 0.0.0.0 [dest. ip] 0.0.0.0 - indicates to deny any traffic from a specific source to a specific destination.   The second rule - permit any any any - allows any and all other communication.   ACL Entries (ACEs) are applied utilizing the first rule, then continuing in sequential order.  Your statement denies traffic from [source ip] to [dest. ip], then allows all other communication.  If the ACL is bound to the [source ip] interface (physical or virtual) then it should perform as expected.  However, if the ACL is bound to the [dest. ip] interface (physical), then the results will not be as expected. Explanation :: As ACLs are applied to traffic as it physically enters the switch, you must consider the flow of traffic to correctly apply your ACLs and correctly enter the necessary ACEs.  If you apply your second ACL to the physical interface the [source ip] is attached to, your results should be as expected.  If the rule is applied to the interface the [dest. ip] is attached to, then your results may vary.  The reason is that if the ACL is bound to the [dest. ip] interface, then traffic that enters the interface will have a different (source) IP address than is specified in the ACL.  In this instance, the ACL will not be applied as there is not a match.  Thus, communication will be established as the rule - permit any any any - allows this communication.    Applying the ACL to the VLAN is equivalent (in this case) to applying the ACL to the physical interface [source ip] is attached to.  Message Edited by DELL-Randy on 01-04-2005 02:13 PM

lucasnodine · Answer

Wow, Thank you.  That is the best answer I have ever had from any computer company related to a technical issue ever.    Thank you!

ISCGDave · Answer

I am having problems with what appers to be a simple access list. I want to permit all traffic to from each host on the same subnet and then restrict all other traffic based on protocol.

The following access-list is applied to VLAN401 and each device is assigned to VLAN401

ip access-list 401ACL
permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

When I apply the ACL to the VLAN, all traffic is blocked between the hosts on the VLAN.

For instance 192.168.1.10 can no longer communicate with 192.168.1.11

What am I doing wrong?

ISCGDave · Answer

DOH! Sorry I am used to Cisco access-lists   This works permit any 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255   Thanks!   Do you ever feel like your talking to yourself?

Networking General

Was this post helpful?