SFE2000 IP Access List is locking up the switch

Hi, i'm using brand new 1 X SFE2000, 1 X RV082 as router and 2 X  WAP2000 with linksys power injectors in my network. I would like to have 3 VLANs. first one would be a management vlan, second an admin vlan and the last one a customer vlan. management would be used for computer tech to manage the equipment. the admin Vlan would be used for all the employees, the AD win2k8 server will be on this vlan too. the customer vlan would be used only to get to the internet. VLan 1 would speak to 2 and 3, but 2 and 3 would not speak to each other. I will relay the AD DHCP server on the 3 vlan. The switch is on layer 3 protocol.
Here is my problem, as soon as i activate the IP access list, the switch is locking up and the only way i can get it to work is to go back to a previous saved config without IP access list activated. i'm activating IP access list with all access to any vlan...and still the same problem... MAC access list is working perfectly.
i'm having the latest firmware...
any advice would be welcome !
thanks alot !

I did not change my native/management VLAN. This is not supported. My default gateway is 192.168.11.253. My VLAN 1 is 192.168.11.0/24, VLAN 2 is 192.168.12.254, VLAN 3 is 192.168.3.254. Configured interfaces are e2-5. Do NOT attempt to use ANY/protocol type 255 on the interface. ACL/ACEs are as follows:
permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
Or the whole config (default login. also attached)
interface range ethernet e(2-4) switchport mode access exit vlan database vlan 1-3 exit interface ethernet e2 switchport access vlan 1 exit interface ethernet e5 switchport trunk native vlan 1 exit interface ethernet e3 switchport access vlan 2 exit interface ethernet e5 switchport trunk allowed vlan add 2 exit interface ethernet e4 switchport access vlan 3 exit interface ethernet e5 switchport trunk allowed vlan add 3 exit interface vlan 1 ip address 192.168.11.254 255.255.255.0 exit interface vlan 2 ip address 192.168.12.254 255.255.255.0 exit interface vlan 3 ip address 192.168.3.254 255.255.255.0 exit interface vlan 100 ip address 192.168.1.254 255.255.255.0 exit ip route 0.0.0.0 0.0.0.0 192.168.11.253 ip access-list ACL1 permit ip 192.168.3.0 0.0.0.255 192.168.11.253 0.0.0.0 permit ip 192.168.11.0 0.0.0.255 any permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255 exit interface ethernet e2 service-acl input ACL1 exit interface ethernet e3 service-acl input ACL1 exit interface ethernet e4 service-acl input ACL1 exit interface ethernet e5 service-acl input ACL1 exit username L1_admin password dcdf2920272f76e823f0633b329881df level 15 encrypted username admin password d41d8cd98f00b204e9800998ecf8427e level 15 encrypted

Similar Messages

  • Access-list in Cisco 3560 Series Switch

    Guys,
    I will be implementing access-lists in 3560 switch. Hope you can help me with the configuration. I'm planning to block all ports by default and only allow ports that the user need to access. The ports will be as follows, tcp - 80, 81, 8080, 25, 110, 143. For udp - 23 and port used by IP Phone.
    Hope you can help me guys.
    Thanks,
    John

    and then dont forget to call this access-list on the interface or vlan you want to apply it.
    You can use a number for the ACL > 100 or a name as indicated earlier.
    If you go with just a number :
    access-list 100 permit tcp any any eq 80 81 ...
    access-list 100 permit udp any any eq 23
    int g1/0/1
    ip access-group NAME in
    OR
    ip access-group 100 in
    As for example :
    NMS-3750-A(config-if)#ip acc
    NMS-3750-A(config-if)#ip access-group ?
    <1-199> IP access list (standard or extended)
    <1300-2699> IP expanded access list (standard or extended)
    WORD Access-list name

  • TCAM and Access Lists

    Hi
    I am getting myself confused with the TCAM tables and access-lists. From reading the switching book I can see that the access-lists are compiled into the TCAM. What is confusing me is how a switch does a lookup in parallel when the access lists are written in a specific order. You can't parallel something which has to be done in sequence.
    Am I just misreading this part and the author means that each statement is looked up in a parallel table lookup, in serial order?
    Also how do we achieve the parrallelism, is there a multiprocessor asic doing something weird and wonderful in there with parallel code like OCCAM? (showing my age there :) )

    Hi Carl,
    As i mentioned eariler, we could say CBAC is a kind of Access list.
    Access list is just filtering some prefixes/ports. CBAC is the additional feature over ACL. We make use of the ACL in CBAC to inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions.
    Just go thro. this link for both ACL and CBAC,
    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#cbac
    Rgs,
    Balaji. V

  • A possible bug related to the Cisco ASA "show access-list"?

    We encountered a strange problem in our ASA configuration.
    In the "show running-config":
    access-list inside_access_in remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log
    access-list inside_access_in remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq www log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq https log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log
    access-list inside_access_in extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log
    access-list inside_access_in remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in extended permit tcp object 172.31.254.2 any eq domain log
    access-list inside_access_in extended permit udp object 172.31.254.2 any eq domain log
    access-list inside_access_in remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in extended permit ip object 172.31.254.2 any log
    access-list inside_access_in remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log
    access-list inside_access_in remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log
    access-list inside_access_in remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in extended permit ip object windowsusageVM any log
    access-list inside_access_in extended permit ip any object testCSM-object
    access-list inside_access_in extended permit ip 172.31.254.0 255.255.255.0 any log
    access-list inside_access_in remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in extended permit ip host 172.31.254.2 any log
    access-list inside_access_in remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in extended permit tcp host 192.168.20.95 any eq www log
    In the "show access-list":
    access-list inside_access_in line 1 remark CM000067 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:http_access
    access-list inside_access_in line 2 remark CM000458 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:https_access
    access-list inside_access_in line 3 remark test 11111111111111111111111111 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 4 extended permit tcp host 1.1.1.1 host 192.168.20.86 eq 81 log informational interval 300 (hitcnt=0) 0x0a                                                           3bacc1
    access-list inside_access_in line 5 remark CM000260 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-dgm
    access-list inside_access_in line 6 remark CM006598 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ns
    access-list inside_access_in line 7 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:netbios-ssn
    access-list inside_access_in line 8 remark CM000223 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:tcp/445
    access-list inside_access_in line 9 extended permit tcp 172.31.254.0 255.255.255.0 any eq www log informational interval 300 (hitcnt=0) 0x06                                                           85254a
    access-list inside_access_in line 10 extended permit tcp 172.31.254.0 255.255.255.0 any eq https log informational interval 300 (hitcnt=0) 0                                                           x7e7ca5a7
    access-list inside_access_in line 11 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-dgm log informational interval 300 (hitcn                                                           t=0) 0x02a111af
    access-list inside_access_in line 12 extended permit udp 172.31.254.0 255.255.255.0 any eq netbios-ns log informational interval 300 (hitcnt                                                           =0) 0x19244261
    access-list inside_access_in line 13 extended permit tcp 172.31.254.0 255.255.255.0 any eq netbios-ssn log informational interval 300 (hitcn                                                           t=0) 0x0dbff051
    access-list inside_access_in line 14 extended permit tcp 172.31.254.0 255.255.255.0 any eq 445 log informational interval 300 (hitcnt=0) 0x7                                                           b798b0e
    access-list inside_access_in line 15 remark CM000280 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:domain
    access-list inside_access_in line 16 extended permit tcp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
      access-list inside_access_in line 16 extended permit tcp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0x6c416                                                           81b
    access-list inside_access_in line 17 extended permit udp object 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
      access-list inside_access_in line 17 extended permit udp host 172.31.254.2 any eq domain log informational interval 300 (hitcnt=0) 0xc53bf                                                           227
    access-list inside_access_in line 18 remark CM000220 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:catch_all
    access-list inside_access_in line 19 extended permit ip object 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
      access-list inside_access_in line 19 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xd063707c
    access-list inside_access_in line 20 remark CM0000086 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:SSH_internal
    access-list inside_access_in line 21 extended permit tcp 172.31.254.0 255.255.255.0 interface inside eq ssh log informational interval 300 (hitcnt=0) 0x4951b794
    access-list inside_access_in line 22 remark CM0000011 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    access-list inside_access_in line 23 extended permit object TCPPortRange 172.31.254.0 255.255.255.0 host 192.168.20.91 log informational interval 300 (hitcnt=0) 0x441e6d68
      access-list inside_access_in line 23 extended permit tcp 172.31.254.0 255.255.255.0 host 192.168.20.91 range ftp smtp log informational interval 300 (hitcnt=0) 0x441e6d68
    access-list inside_access_in line 24 remark CM0000012 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:FTP
    access-list inside_access_in line 25 extended permit tcp object inside_range range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 0xe848acd5
      access-list inside_access_in line 25 extended permit tcp range 12.89.235.2 12.89.235.5 range 1024 45000 host 192.168.20.91 eq ftp log informational interval 300 (hitcnt=0) 0xe848acd5
    access-list inside_access_in line 26 extended permit ip 192.168.20.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xb6c1be37
    access-list inside_access_in line 27 remark CM0000014 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:DropIP
    access-list inside_access_in line 28 extended permit ip object windowsusageVM any log informational interval 300 (hitcnt=0) 0x22170368
      access-list inside_access_in line 28 extended permit ip host 172.31.254.250 any log informational interval 300 (hitcnt=0) 0x22170368
    access-list inside_access_in line 29 extended permit ip any object testCSM-object (hitcnt=0) 0xa3fcb334
      access-list inside_access_in line 29 extended permit ip any host 255.255.255.255 (hitcnt=0) 0xa3fcb334
    access-list inside_access_in line 30 extended permit ip 172.31.254.0 255.255.255.0 any log informational interval 300 (hitcnt=0) 0xe361b6ed
    access-list inside_access_in line 31 remark CM0000065 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:IP
    access-list inside_access_in line 32 extended permit ip host 172.31.254.2 any log informational interval 300 (hitcnt=0) 0xed7670e1
    access-list inside_access_in line 33 remark CM0000658 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security
    access-list inside_access_in line 34 extended permit tcp host 192.168.20.95 any eq www log informational interval 300 (hitcnt=0) 0x8d07d70b
    There is a comment in the running config: (line 26)
    access-list inside_access_in remark CM0000088 EXP:1/16/2014 OWN:IT_Security BZU:Network_Security JST:PortRange
    This comment is missing in "show access-list". So in the access list, for all the lines after this comment, the line number is no longer correct. This causes problem when we try to use line number to insert a new rule.
    Has anybody seen this problem before? Is this a known problem? I am glad to provide more information if needed.
    Thanks in advance.
    show version:
    Cisco Adaptive Security Appliance Software Version 8.4(4)1
    Device Manager Version 7.1(3)
    Compiled on Thu 14-Jun-12 11:20 by builders
    System image file is "disk0:/asa844-1-k8.bin"
    Config file at boot was "startup-config"
    fmciscoasa up 1 hour 56 mins
    Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
    Internal ATA Compact Flash, 128MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB
    Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                                 Boot microcode   : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                                 Number of accelerators: 1

    Could be related to the following bug:
    CSCtq12090: ACL remark line is missing when range object is configured in ACL
    Fixed in 8.4(6), so update to a newer version and observe it again.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • Avpair on the end of access-list

    Hello,
    It is possible, on router web authentication (or proxy authentication), to add the avpairs received from a radius server (the aaa), on the end of the access-list, instead of on the beggining?
    Tanks.
    Pisco
    Universidade do Algarve
    Portugal

    Thanks to Frank and Kevin
    Kevin
    Let me see if i got it.
    When i create the 2 LOV through a query, you said i should use a bind variable in the where clause of that query and the value of that variable would be the value selected of the first LOV, right? Then, How and where can i set an automatic refresh to yes?
    In order to do query, i still need to have the information needed (country, states, cities) stored on a table? if not, what other way i can get the information and populate the lists?
    Frank,
    i guess i should detect a list change with the trigger when-list-changed. Am i right?
    I still have to stored all the information eithr on a database or on a record group, am i right?
    Which would be a better way to do it?
    Thanks

  • How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic

    Hellp Everyone,
    I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.
    I want to allow the whole Intranet but few intranet websites also needs access to the internet.
    Can we create such Access-List with the above requirement.
    I tried to create the ACL on the switch but it blocks the whole internet access.
    i want to do it for a subnet not for a specific IP.
    Can someone help me in creating such access list.
    Thanks in Advance

    The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.
    In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.
    The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).
    You would then use them as follows:
    ip access-list extended main_acl
    permit any object-group intranet any
    permit object-group allowed_servers object-group allowed_sites any
    interface vlan
    ip access-group main_acl in
    More details on the syntax and examples can be found here:
    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

  • IOS XR deny ace not supported in access list

    Hi everybody,
    We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
    interface TenGigE0/3/0/0
     cdp
     mtu 1568
     service-policy output TK-MPLS_TG
     ipv4 address 172.16.19.134 255.255.255.252
     mpls
      mtu 1568
    policy-map TK-MPLS_TG
    class class-default
      service-policy TK-MPLS_EDGE-WAN
      shape average 2000000000 bps
      bandwidth 2000000 kbps
    and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
    class-map match-any W_RTP
     match mpls experimental topmost 5
     match dscp ef
     end-class-map
    class-map match-any W_EMAIL
     match mpls experimental topmost 1
     match dscp cs1
     end-class-map
    class-map match-any W_VIDEO
     match mpls experimental topmost 4 3
     match dscp cs3 cs4
     end-class-map
    class-map match-any W_DATOS-CR
     match mpls experimental topmost 2
     match dscp cs2
     end-class-map
    class-map match-any W_AVAIL
     match mpls experimental topmost 0
     match dscp default
     end-class-map
    policy-map TK-MPLS_EDGE-WAN
    class W_RTP
      bandwidth percent 5
    class W_VIDEO
      bandwidth percent 5
    class W_DATOS-CR
      bandwidth percent 30
    class W_EMAIL
      bandwidth percent 15
    class W_AVAIL
      bandwidth percent 2
    class class-default
    end-policy-map
    what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
    ipv4 access-list PROXY-GIT-MEX
    10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
    20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
    30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
    40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
    50 permit tcp host 150.2.1.100 any
    60 permit tcp host 10.15.221.100 any
    policy-map EDGE-MEX3-PXY
     class C_PXY-GIT-MEX3
      police rate 300 mbps
     class class-default
     end-policy-map
    class-map match-any C_PXY-GIT-MEX3
     match access-group ipv4 PROXY-GIT-MEX
     end-class-map
    we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
    policy-map TK-MPLS_EDGE-WAN
    class W_RTP
      bandwidth percent 5
    class W_VIDEO
      bandwidth percent 5
    class W_DATOS-CR
      bandwidth percent 30
    class W_EMAIL
      bandwidth percent 15
    class W_AVAIL
      service-policy EDGE-MEX3-PXY
    class class-default
    end-policy-map
    and we get this:
    Wed Sep 17 18:35:36.537 UTC
    % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
    RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
    Wed Sep 17 18:35:49.662 UTC
    !! SEMANTIC ERRORS: This configuration was rejected by
    !! the system due to semantic errors. The individual
    !! errors with each failed configuration command can be
    !! found below.
    !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
    end
    Any  kind of help is very appreciated.

    That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
    unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
    if you have some traffic that you want to exclude you could do something like this:
    access-list PERMIT-ME
    1 permit
    2 permit
    3 permit
    access-list DENY-me
    !the exclude list
    1 permit
    2 permit
    3 permit
    policy-map X
    class DENY-ME
    <dont do anything> or set something rogue (like qos-group)
    class PERMIT-ME
    do here what you wanted to do as earlier.
    eventhough the permit and deny may be overlapping in terms of match.
    only the first class is matched here, DENY-ME.
    cheers!
    xander

  • Cisco ISE and WLC Access-List Design/Scalability

    Hi,
    I have a scenario whereby wireless clients are authenticated by the ISE and different ACLs are applied to it based on the rules on ISE. The problem I seems to be seeing is due to the limitation on the Cisco WLC which limit only 64 access-list entries. As the setup has only a few SVI/interfaces and multiple different access-lists are applied to the same interface base on the user groups; I was wondering if there may be a scalable design/approach whereby the access-list entries may scale beside creating a vlan for each user group and applying the access-list on the layer 3 interface instead? I have illustrated the setup below for reference:
    User group 1 -- Apply ACL 1 --On Vlan 1 
    User group 2 -- Apply ACL 2 -- On Vlan 1
    User group 3 -- Apply ACL 3 -- On Vlan 1
    The problem is only seen for wireless users, it is not seen on wired users as the ACLs may be applied successfully without any limitation to the switches.
    Any suggestion is appreciated.
    Thanks.

    Actually, you have limitations on the switch side as well. Lengthy ACLs can deplete the switch's TCAM resources. Take a look at this link:
    http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/68461-high-cpu-utilization-cat3750.html
    The new WLCs that are based on IOS XE and not the old Wireless/Aironet OS will provide the a better experience when it comes to such issues. 
    Overall, I see three ways to overcome your current issue:
    1. Shrink the ACLs by making them less specific
    2. Utilize the L3 interfaces on a L3 switch or FW and apply ACLs there
    3. Use SGT/SGA
    Hope this helps!
    Thank you for rating helpful posts!

  • Access-list problem ?

    Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.
    Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.
    What am I missing ?
    version 15.1
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname r01
    boot-start-marker
    boot-end-marker
    logging buffered 15000
    no logging console
    no aaa new-model
    clock timezone CET 1 0
    no ipv6 cef
    ip source-route
    ip cef
    ip dhcp excluded-address 172.17.1.1 172.17.1.30
    ip dhcp excluded-address 172.17.1.240 172.17.1.254
    ip dhcp excluded-address 172.17.3.1 172.17.3.30
    ip dhcp excluded-address 172.17.3.240 172.17.3.254
    ip dhcp pool VLAN1
    network 172.17.1.0 255.255.255.0
    domain-name r1.local
    default-router 172.17.1.254
    dns-server 212.54.40.25 212.54.35.25
    lease 0 1
    ip dhcp pool VLAN100
    network 172.17.3.0 255.255.255.0
    domain-name r1_Guest
    default-router 172.17.3.254
    dns-server 212.54.40.25 212.54.35.25
    lease 0 1
    ip domain name r1.lan
    ip name-server 212.54.40.25
    ip name-server 212.54.35.25
    multilink bundle-name authenticated
    crypto pki token default removal timeout 0
    object-group network temp
    description dummy addresses
    1.1.1.1 255.255.255.0
    2.2.2.2 255.255.255.0
    object-group network vlan1-lan
    172.17.1.0 255.255.255.0
    object-group network vlan100-guest
    172.17.3.0 255.255.255.0
    object-group network ziggo-dns
    host 212.54.40.25
    host 212.54.35.25
    redundancy
    ip ssh version 2
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    ip address dhcp
    ip access-group 104 in
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface GigabitEthernet0/1
    description r1.local lan
    ip address 172.17.1.254 255.255.255.0
    ip access-group 102 in
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface GigabitEthernet0/1.1
    description Vlan100 r1_Guest
    encapsulation dot1Q 100
    ip address 172.17.3.254 255.255.255.0
    ip access-group 103 in
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    no cdp enable
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip dns server
    ip nat inside source list 101 interface GigabitEthernet0/0 overload
    ip route 172.17.2.0 255.255.255.0 172.17.1.253
    access-list 23 permit 172.17.1.0 0.0.0.255
    access-list 101 permit ip any any
    access-list 102 deny ip any object-group vlan100-guest
    access-list 102 permit ip any any log
    access-list 103 deny ip any object-group vlan1-lan
    access-list 103 permit ip any any
    access-list 104 permit tcp any any eq 22
    access-list 104 permit udp any any eq snmp
    access-list 104 permit icmp any any time-exceeded
    access-list 104 permit icmp any any echo-reply
    access-list 104 permit icmp object-group temp any echo
    access-list 104 permit icmp 172.17.1.0 0.0.0.255 any
    access-list 104 deny ip any any log
    no cdp run
    control-plane
    line con 0
    login local
    line aux 0
    line 2
    login local
    no activation-character
    no exec
    transport preferred none
    transport input ssh
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line vty 0 4
    access-class 23 in
    login local
    transport input ssh
    scheduler allocate 20000 1000
    end

    Hello,
    I applied the rules and that works.
    Only thing i have now.
    Reboot router.
    Interface 0/0 gets no dhcp address from isp.
    I have to remove the 104 in from int 0/0
    Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01
    Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.
    Maybe i have to put in a static ip address on int0/0 ?
    Thanks for your help !

  • Default action for access list Deny

    Hello,
    Is it possible to change the default action for an access list deny?  Can the ASA be configured to send an icmp unreachable rather than just dropping the packet if an access list denies the request?  I have a situation where I would like to restrict access to a specific server for a select number of users.  The problem is that the restricted workstations attempt to connect to the server at log in.  Since I cannot control the log in script for those users, I was hoping to use the ASA firewall instead.  However, using a deny statement causes the workstation to repeatedly send SYN requests for 60 seconds.   The restricted users experience an unacceptably long delay at log in.  I was hoping to be able to configure the ASA to send an icmp unreachable message for those users and avoid the wait.
    Thanks,
    Ann

    Hello,
    As the firewall it's supposed to be invisible there is no way the ASA could send this particular messages, sorry to inform you that but you could request this particular feature with your Cisco account Team.
    Regards,
    Julio

  • LMS compliance check on all access lists

    Hello, I am trying to create a complaince template in LMS 3.2.1 to check ALL extended access lists for an explicit deny any any rule. I found articles on how to check all interfaces including VLAN's but cannot seem to make it work for access lists. BTW, the access lists are not all named the same on all devices therefore I need to use wildcards for the name.     
    thanks.           

    I forgot to mention that i am running this against Cisco ASA devices which displays like this:
    access-list TEST_ACL extended deny ip any any
    I have tried:
    access-list [#.*#] extended deny ip any any
    but it returns all as compliant becuase it is stopping at the first access-list it finds with the explicit deny ip any any command and not continuing on to check all the other access lists.
    Any ideas?

  • Configuring Extended Access List with Any statement

    I have several questions where I'm fuzzy on a configuration already on my network.  Whoever setup my network before me just put the same access-lists on all the interfaces at three different locations --
    1.  Are extended access-lists always source then destination?  Like in the following statement:
    permit ip host 172.16.4.20 any - Is the source 172.16.4.20 and destination any?
    2.  Further down though there is:
    permit tcp any host 172.16.4.11 eq 443.
    In that case is the source any host and the destination 172.16.4.11 ?
    This had been placed on an inbound access-list but 4.11 is not internal to that network so I don't think that statement if valid.
    3.  Also, when you do a:
    sho ip access-list -
    Not many of the line items in that access have any counts - does that mean nothing is hitting them or like I think they could be misconfigured?
    Thanks!

    Thank you Alex for your response.
    Yes, this is an example:
    permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.1 eq 135 389 636 445 3268 3269 domain 88
    I have more ACLs and each ACL contains more conditions with multiples Por

  • RVS4000 IP Access Lists

    Hello all,
    I am trying to block access from 1 VLAN to another without disabling InterVLAN routing.
    In my access list entry I have the following:
    Deny ALL protocols, Source interface LAN; Source Address Network 192.168.8.0/24 (VLAN I wish to block); Destination Address Network 192.168.1.0.
    It looks like this should work however hosts from the 192.168.8.0 network can access the 192.168.1.0 network. If I disable InterVLAN routing it blocks traffic between the VLANs as you would expect. In the future I plan to have another VLAN that I do wish to route between VLANs.
    Any help would be appreciated,
    Thanks!
    Brian

    To support the scenario you described, you might want to take a look at the SA500 series such as SA520.
    For RVS4000, I will pass your request onto the product team for consideration.
    I was told that RVL200, which also supports inter-VLAN routing and IP-address based Access Rules, can support the scenario you described.

  • MAC access-list on switching platforms

    Please advise if I am in the worng group, and I'll move the post.
    I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
    Here is the link I am looking at:
    http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

    Mac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
    A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
    DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface.

  • Access-list on secondary IP

    Hi,
    I would like to ask help if i can block the secondary IP internet access? i will place it on the primary access-list created.
    example
    (primary blocking internet access access-list)
    ip access-list extended http100
    permit tcp host 10.99.100.1 host 10.108.20.1 eq 80
    ip access-list extended http100
    permit tcp host 10.99.102.1 host 10.108.20.1 eq 80
    permit ip any any
    would the commands above block the internet of the secondary IP 10.99.102.x?
    thanks,
    Eduard

    Hi Rick,
    I have a router and currently blocks internet access on certain IP's. On that segment i created a secondary IP address 10.99.102.x.
    My question is how do i block secondary internet access by using an access-list?
    I thought of that since the secondary IP's interface is the same as the primary one, i'll put the exception there on the existing access-list. would it block the IP's of the secondary accessing the internet.
    Hope this is clearer.
    oh,i think i missed typed something on the access-list, let me create another example:
    ip access-list extended http101
    permit tcp host 10.99.100.1 host 10.100.100.1 eq 80 (primary ip and proxy)
    permit tcp host 10.99.102.1 host 10.100.100.1 eq 80 (secondary ip and proxy)
    deny tcp 10.99.100.0 0.0.0.255 host 10.100.100.1 eq 80
    deny tcp 10.99.102.0 0.0.0.255 host 10.100.100.1 eq 80
    permit ip any any
    all ip's internet will be blocked except for 10.99.100.1 and 10.99.102.1
    thanks,
    Eduard

Maybe you are looking for