Extended ACL - Switch
1x Catalyst 3560.
GUEST VLAN
STAFF VLAN
I have 2 separate VLANS.
Requirement:
Guest Vlan deny access to Staff Vlan. Staff Vlan permit access to Guest Vlan.
Is this setup possible?
Apparently im able to deny access from guest->staff, but not vice versa.
GUEST VLAN
STAFF VLAN
Read the below helpfull info:-
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
HTH>
Similar Messages
-
I have a VoIP / QoS situation I just discovered on the Cat 3560's. In this case, a particular manufacturer's IP Phones do not tag CoS or DSCP. As such, I have defined extended ACL's/Policies on the Cat 3560 switches to detect and mark traffic from the IP Phones. My policies are designed to identify and mark Call Bearer with DSCP 46 and Call Control traffic with DSCP 26 based upon source address and UDP port. What I see however, is that all VoIP traffic is marked at DSCP 46, and nothing is marked at 26. (It's not so bad having control and bearer marked with DSCP EF, but I like to put call control in a different queue when possible.)
I am looking for confirmaton of the following theory. I suspect that the 3560's ((C3560-IPBASEK9-M), Version 12.2(25)SED) are not layer 4 aware, thus extended access lists function only as standard access lists - (even though the switch allows me to create an extended ACL). As such, my attempt to identify call bearer and call signalling based upon UDP port will not work.
Below is the ACL / Policy config. Note that on downstream routers, I only see DSCP 46 and never match DSCP 26 (af31). From the switch, using "sh mls qos interface statistics", I see no traffic with DSCP 26 at all (output attached).
I believe this is because the switch is only reading the layer 3 portion of the ACL. Since both ACL 101 and ACL 102 have the same layer 3 source adress, then all classified traffic will match class "IngressVoiceBearer" and get marked with 46.
access-list 101 remark Voice Bearer Signalling
access-list 101 permit udp 192.168.100.0 0.0.0.255 any eq 5004
access-list 102 remark Call Control Signalling (udp 5440-5445)
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5440
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5441
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5442
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5443
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5444
access-list 102 permit udp 192.168.100.0 0.0.0.255 any eq 5445
class-map match-any IngressCallControlSignalling
match access-group 102
class-map match-any IngressVoiceBearer
description All Inbound Voice Bearer traffic on UDP 5004
match access-group 101
policy-map IngressVoIP
class IngressVoiceBearer
set dscp ef
class IngressCallControlSignalling
set dscp af31
class class-default
set dscp default
Switch Output:
switch#sh mls qos int g0/1 statistics
GigabitEthernet0/1
dscp: outgoing
0 - 4 : 12359302 0 0 0 0
5 - 9 : 0 0 0 0 0
10 - 14 : 0 0 0 0 0
15 - 19 : 0 0 0 0 0
20 - 24 : 0 0 0 0 0
25 - 29 : 0 0 0 0 0
30 - 34 : 0 0 0 0 0
35 - 39 : 0 0 0 0 0
40 - 44 : 0 0 0 0 0
45 - 49 : 0 1837749 0 9716 0
50 - 54 : 0 0 0 0 0
55 - 59 : 0 0 0 0 0
60 - 64 : 0 0 0 0Are the ports correct for the call control ACL? In the Cisco VoIP world we use an ACL like this for call control:
ip access-list extended VOICE-CONTROL
permit tcp any any range 2000 2002
permit tcp any range 2000 2002 any
permit tcp any any range 11000 11999
permit tcp any any range 1718 1720
permit udp any any range 1718 1719
permit udp any any range 2427 2428
permit tcp any any range 2443 2445
permit tcp any any range 5555 5599
But Cisco uses different protocols. Your ACL is configured correctly and the 3560 is supposed to support extended ACLs. Does your 3560 have an enhanced image or a standard image?
Are these Avaya phones? I have had to do software updates on Avaya phones to get them to behave correctly.
-Mark -
Standard and Extended ACLs?
I just want to know that if extended IP access lists can do all tasks, I mean extended access lists have a lot of controlling parameters, then why people use Standard Access lists instead of Extended access lists.
I just want to know that in which scenario we should use STD ACLs instead of EXTD ACLs, what special advantage of using STD over EXTD ACLs,
Please reply.Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
To summarize what the other posters have already noted, the two principle reasons why one might use a standard ACL (which could also be functionally accomplished) by an extended ACL are 1) some commands that rely on ACLs might still only support standard ACLs (more likely in older IOS versions) and 2) a standard ACL might be just a little clearer to understand.
Another (hopefully needless) reason why you might want to use a standard ACL, when an extended ACL would do, could be the device's processing performance might be better with a standard ACL.
Logically the standard ACL ACE:
access-list 10 permit host 1.1.1.1
should be the same as this extended ACL ACE:
permit ip host 1.1.1.1 any
But a "dumb" implementation of processing the extended ACL might wildcard compare the destination IP and other optional parameters while the standard ACL only examines the source IP. Should this happen? No, but such might happen because of different generations of code and/or different teams working on ACL processing.
BTW, if there is a significant performance difference, it's just as possible extended works better.
Again, this is very extreme and unlikely, but this could be a reason to use one form of ACL vs. the other when both can provide the same filtering. (Also, if this is "discovered", it's very likely to be very device and IOS version specific. Personally I would consider taking "advantage" of such a discovery poor practice, except in extreme situations.) -
WAAS: Standard vs Extended ACL's for WCCP Transparent Redirection
I've come across a number of implementations where the ACL's associated with services 61 & 62 are using extended access-list. I am writing with specific reference to wccp configured in promiscuous mode.
Since WCCP will only redirect TCP, and the WAAS solution in general applies only to TCP - then is there really a need for extended acls for redirection?. Furthermore, in a simple implementation you do not need separate acls linked to 61 & 62 - i don't think so.
Standard acls parse the filteration process more quickly than extended.
thanks
AjazThe extended access-lists are used because some TCP traffic does not to be optimized (telnet, BGP, SNMP, ...), or some hosts have compressed traffic for any application and need to be excluded from redirection. Besides that standard access-lists can be used.
-
Extended ACL permit ip and allowed ports
Hi everyone
Need to confirm if we have extended ACL with object group below
access-list xy_access_in extended permit ip object-group xy_subnets object-group cisco_ynetworks
will above ACL allow all the ports on the destination object group?
Thanks
maheshAnd to illustrate the situation above
Situation 1 - Only allow rule exists on the ACL
object-group network SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object-group network DESTINATION
network-object 10.10.100.0 255.255.255.0
network-object 10.10.200.0 255.255.255.0
access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
The above ACL would
Allow ALL TCP/UDP source and destination ports
Allow those from the source networks of SOURCE to the destination networks of DESTINATION
Situation 2 - Deny rules exist before the allowing rule
object-group network SOURCE
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
object-group network DESTINATION
network-object 10.10.100.0 255.255.255.0
network-object 10.10.200.0 255.255.255.0
access-list SOURCE-IN deny ip host 10.10.10.10 host 10.10.100.100
access-list SOURCE-IN deny tcp host 10.10.10.10 host 10.10.200.200 eq 80
access-list SOURCE-IN permit ip object-group SOURCE object-group DESTINATION
The above ACL would
First block ALL TCP/UDP traffic from host 10.10.10.10 to host 10.10.100.100
It would also block TCP traffic from host 10.10.10.10 to host 10.10.200.200 on the destination port TCP/80
It would then allow ALL TCP/UDP traffic from the source networks of SOURCE to the destination networks of DESTINATION
The key thing to notice ofcourse would be that we have blocked some traffic on the first 2 lines of the ACL and then allowed ALL TCP/UDP traffic.
So host 10.10.10.10 cant communicate with host 10.10.100.100 on any port since the "deny" rule for that is at the top of the ACL BEFORE the rule that allows ALL TCP/UDP traffic between these networks.
In the other case the TCP/80 destination traffic from host 10.10.10.10 to host 10.10.200.200 would be blocked BUT rest of the TCP/UDP traffic would be allowed by the rule using the "object-group"
- Jouni -
I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.
I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.
ip-access-list extended ACL_TCP
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established
permit tcp any any established
Is there a better way to do this? Does this extended ACL work for my purpose?What direction did you apply this? I'm assuming in the inbound direction?
Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.
Try the following:
ip access-list ext ACL_TCP
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp
deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet
Apply to your loopback:
ip access-group ACL_TCP in
Next question:
Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?
HTH,
John -
Applying Extended ACL close to Destination
Hi Everyone,
Need to share something here.Mostly we use extended ACL close to the source.
Here is this scenario i need to use the extended ACL close to destination to fix the issue.
Here is info
Server 1 connected to interface X ASA1 it has wan connection to ASA2---ASA2 has connection to ASA3.
Now ASA3 is learning source server IP via its Y interface.
In order to reach the destination server ASA3 has to through its interface Z.
Now there was ACL on ASA3 which denies traffic from source server IP to destination IP on interface Y.
I apply the ACL on ASA3 to allow the traffic and it worked.
Dooes someone elase also has seen this behaviour?
Regards
MaheshHi,
The thing depends on the fact if I understood your setup correctly. If you have traffic flowing through 3 different firewalls to reach its final destination then naturally you have to make sure that each of those firewalls allow that traffic. Even if the first ASA1 allows this connections in its ACL rules it might still be that ASA2 or ASA3 has a configuration that doesnt allow this traffic (like it seemed to be originally in your situation). The fact that ASA1 allowed the connection attempt through itself doesnt mean that it would reach its destination as there are differen firewalls on the way.
Just as an example I could mention one real life setup that I manage.
The setup contains 4 firewalls always (at minimum)
One is customer firewall/vpn device
One is our vpn device
One is our firewall device
One is our partner firewall device
This means essentially that for the Customer to reach the Partner sites servers the traffic has to go through 4 firewalls atleast. Because of the policy chosen we only have to make sure that the Customer and the Partner firewall allows the traffic as Our firewalls dont do any access control (just provide the connectivity between sites)
- Jouni -
Believe it or not, once in a while, i fumble with some basic concepts. Here is one, on our perimeter FW, ASA, there are these NATTING configured.
I just couldnt figure out why they use extended ACL for the sources? isnt the standard one good enough?
thanks in advance,
Han
access-list dmz_nat0_outbound extended permit ip any 1XX.169.0.0 255.255.0.0
access-list dmz_nat0_outbound extended permit ip any 10.48.240.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 10.48.243.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 172.17.13.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 192.168.12.0 255.255.255.0
access-list inside_nat0_outbound_5 extended permit ip any 192.168.221.0 255.255.255.0
global (Outside) 2 2XX.YY.13.244 netmask 255.255.255.0
global (Outside) 1 2XX.YY.13.12 netmask 255.255.255.255
nat (inside) 0 access-list inside_nat0_outbound_5
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 2 0.0.0.0 0.0.0.0Hi Han,
If you go for the standard ACL then you cannot specify the destination subnets and ports. You can specify only the source and the destination is considered any by default.
standard ACL:
access-list 10 standard permit ip 172.16.0.0
Extended ACL:
access-list abc permit tcp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 eq 80
This is how it differs. In your scenario destination is specific rather the source is any. So you have the extended ACL in picture for that. Hope this clears you.
Please do rate if the given information helps.
By
Karthik -
Extended acl - multiple ports on same acl line
hello
i'm working on a (long) acl and have started looking at putting multiple ports on the same line
e.g.
instead of:
ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80
permit tcp any host 10.10.10.1 eq 443
i'd use:
ip access-list extended test3
permit tcp any host 10.10.10.1 eq 80 443
its shortening the acl considerably but the question is:
does this method reduce the TCAM resources required (compared to writing the acl in long hand)?
what are the maximum number of ports that can be included on the same line - is it platform/ios dependant?
thanks
andyHello
No. I went ahead with the acl with multiple ports in each ACE and it worked fine. It was deployed on an old WS-C3750G-24PS-E and worked pretty well. When I checked the tcam on the switch I got the following output:
Cisco3750#show platform tcam utilization
CAM Utilization for ASIC# 0 Max Used
Masks/Values Masks/values
IPv4 security aces: 1024/1024 33/33
Note: Allocation of TCAM entries per feature uses
a complex algorithm. The above information is meant
to provide an abstract view of the current TCAM utilization
As there were other ACLs on the switch it was difficult to gauge if the multiple ports per ACE approach to ACLs actually saved any TCAM resources. If you find anything out post back - I'd be interested to hear.
thanks
Andy -
Hi all,
I have configured an acl to control traffic going in/out of an interface via tcp ports. However, after applying the acl to the interface, i find that eventhough ports are allowed, traffic is blocked by the acl.
I suspected that it could be the initial tcp handshake (SYN, SYNACK, ACK etc) is not being allowed (due to the implicit deny). When i included that in the acl, it worked. Is this a necessary step in an acl that controls by tcp port?
Reason is, some of the acl configured with tcp port control has not been configured to allow SYN, ACK etc but it works when some of these ACLs are applied to other interface.Hi,
Thanks for the response. As far as the config of the ACL, it's quite straight forward with the thing i'm trying to achieve. 1.1.1.190 & 1.1.1.192 are Mail servers. The objective is to control both .190 & .192. The config is as below:
interface Vlan2
description For Mail
ip address 1.1.1.129 255.255.255.0
ip access-group 2002 in
end
C6500#sh access-li 2002
Extended IP access list 2002
10 permit icmp any any (272 matches)
20 permit tcp host 1.1.1.0 any syn (10467 matches)
30 permit tcp host 1.1.1.0 any ack (781 matches)
40 permit tcp host 1.1.1.190 eq smtp any
50 permit tcp host 1.1.1.190 eq pop3 any
60 permit tcp host 1.1.1.192 eq smtp any
70 permit tcp host 1.1.1.192 eq pop3 any (4 matches)
80 permit ip host 1.1.1.183 2.2.0.0 0.0.255.255 (19 matches)
When I first created this ACL, without the SYN & ACK configured, users failed to connect to the servers. I personally believe users could connect, but it's the return packets from the servers that might have gotten blocked by the ACL. However, after I added in the SYN & ACK, all went well. I could see counters incrementing for the SYN & ACK as well.
Whereas, some other applications that use some custom ports, ie. 10000, 10001, didn't seem to need the explicit configuration of the SYN/ACKs & the ACL worked well. -
HT202351 extended display & switching videos
I have a MB Air connected to an LCD projector. I want to run a video on one display while at the same time, preparing another video to play a bit later. I hate the idea of the audience "watching the cursor pull the screen over" as I move the finished video off the extended desktop and then move the next video on to the extended desktop. Isn't there another way to use multiple desktops in order to play/show different things at different times?
I tried using multiple desktops and found that none of them showed up on the LCD projected screen.
Then I used the Mirror but everyone could watch me prepare the next video to play! Not good!
So the only option was using the extended desktop. In order to play the video, I had to press Command/Return (at the same time) because pressing the play in Quicktime) would not start the video on the extended desktop. I had to restart the second video from scratch by closing QT after the first one played because the second video would not not play initially.
There has got to be a better/smoother/savvier way to do this.I have a MB Air connected to an LCD projector. I want to run a video on one display while at the same time, preparing another video to play a bit later. I hate the idea of the audience "watching the cursor pull the screen over" as I move the finished video off the extended desktop and then move the next video on to the extended desktop. Isn't there another way to use multiple desktops in order to play/show different things at different times?
I tried using multiple desktops and found that none of them showed up on the LCD projected screen.
Then I used the Mirror but everyone could watch me prepare the next video to play! Not good!
So the only option was using the extended desktop. In order to play the video, I had to press Command/Return (at the same time) because pressing the play in Quicktime) would not start the video on the extended desktop. I had to restart the second video from scratch by closing QT after the first one played because the second video would not not play initially.
There has got to be a better/smoother/savvier way to do this. -
Hi,
I'm having a problem creating an ACL to allow DHCP.
I want to secure a VLAN running across our Cisco wireless network infrastructure to limit access as much as I can.
Restricting access to limited ip addresses and ports is straightforward, but I can't seem to get the ACL correct to allow clients to obtain ip addresses via DHCP.
I seem to remember that the ACL for DHCP was a little odd -this is what I currently have:
permit udp any host 172.16.30.4 log
permit tcp any host 172.16.30.4 log
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.27 eq 8080 log
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.82 eq 443 log
deny ip any any (28 matches)
172.16.30.4 is the DHCP server, and I would like to limit this to only the ports required for DHCP, but I haven't specified whilst debugging this problem - my inital config was for ports 67 and 68.
I'm seeing traffic being logged against the deny ip any any, so I know the client is trying to send to the correct network etc.
The IP helper address is configured on the interface and is 172.16.30.4.
Can some one let me know what I'm missing.
Cheers,
SteveHi,
Thanks for the response - I'll try the ACL for DHCP shortly.
With regard to the ACL:
permit tcp 172.16.36.0 0.0.0.255 host 172.16.30.4 eq domain established log
you are correct, that is for DNS.
However, on reflection I believe I will need tcp and udp for this rule as the client device will update DNS dynamically when it obtains an IP address from DHCP and I seem to recall DNS updates require tcp port 53?
Cheers,
Steve -
Hello everyone,
I use ACLs on a daily basis and every now and then I need to insert a remark above a particulare line.
As of today I do the following:
Step 1: Creating a temp. copy of the desired ACL and bind it to the Interface to ensure functionality while editing the original ACL
Step 2: Delete the original ACL and then recreate it with the added line(s)
Step 3: Bind the newly created ACL to the Interface, delete the temp. created ACL
Is there a way similar to include new lines by useing the sequence numbers to insert a remark above a specific line?
thanks in advance
MarcelHi Marcel
you didn't mentioning about what kind of device (model, firmware/ios version) you are writing.
ACL's can be done on variety of devices with very different forms of configuration, moreover you are writing inside Small Business section of this forum (related to specified group devices without using IOS software). -
We have adjusted our ACL and removed permitting tcp any any gt 1023 and replaced it with the any any established command but this broke ftp. The ACL is applied out on the ethernet interface into the local network. How do I securely add FTP?
permit tcp any any establishedMaybe this link should help.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml
Also what we do is define a range of ports for passive ftp. For example 6000 to 6100.
So instead you use
access-list 100 permit tcp any host 192.168.1.100 gt 1023
You should use
access-list 100 permit tcp any host 192.168.1.100 range 6000 6100
But, in my opinion, from the server's view, active FTP is more secure than passive.
Hope this helps -
I am stuck. Extended ACL issues
I been at this for a long time and I simply do not know what this practice lab wants. I mean I think I input the correct information but the % does not go up.
Says for my ACL's I'm supposed to
Allow telnet to R1 and R3 from R2 only
Do not allow HTTP, Telnet, and FTP traffic from the Internet to PC1.
Do not allow PC1 to receive traffic from the 10.0.0.128/25 network.
I emplemented many ACL's and tried various things but nothing is working form me.
PC1 address is - 10.0.0.10 /25 its part of the 10.0.0.0/25 network. (Pc1 is connected to R1)
R1 is connected to R2 and R3.
The R1 connection to R2 is on S0/0/0 172.16.0.1 255.255.255.252
R1 to R3 connection is going through S0/1/0 172.16.0.9 255.255.255.252
R2 is connected to R1 via S0/0/0 interface with the IP address 172.16.0.2 /30 (255.255.255.252)
R2's s0/0/1 is connected to R3 with the ip address of 172.16.0.5 255.255.255.252
R3 is connected to R1 via S0/0/0 ip address 172.16.0.10 255.255.255.252
Pc3 is connected to R3 with an ip of 10.0.0.139 255.255.128 (This is part of the 10.0.0.128/25 network
R3's connection to R2 is on S0/0/1 with the ip address of 172.16.0.6 255.255.252
The network from R1 to R2 is 172.16.0.0/30
the Network from R1 to R3 is 172.16.0.8/30
the Network from R2 to R3 is 172.16.0.4/30
The Loopback on R2 is 209.165.200.161/27
If anyone can help me I would greatly appreciate it. I am just so lost atm =/Are you running a routing protocol? OSPF, EIGRP, RIP?
What "%" are you talking about, and what's not working for you exactly?
Can we get a drawing of you topology?
HTH,
John
Maybe you are looking for
-
Well you see, I just got this new Ipod 5G that I really wanted but something went wrong when I tried to sync it with Itunes. It said that the ipod needed 10.7 Itunes but clearly I had not so late version 10.6.3. And I can't update my itunes because i
-
File locking with OSX Server & Microsoft Word
We have a small office LAN based on a Airport Extreme bases station. Periodically Microsoft Word reports a break in connection to the shared folder where we store documents to get disconnected. When that happens and the user reconnects to the share,
-
HElp with my search forSIRI. Do I have it on my model? Can I get it? RAy
-
How do I enlarge font in toolbars?
I have a visiion problem and suddenly all the font toolbars and icons decreased. There used to be a plae in System Prefs called Appearance where I could change it but it is not there now. I downloaded a Safari updaate recently....is this what caus
-
My Trips and Expenses - refresh all tabs?
In ESS, when i go to Iview- My Trips and Expenses, only the first tab- All my trips is refreshed. There are 3 other tabs which don't refresh and the header in these tabs show incorrect number of receipts. Afetr i click on these individual tabs then t