Solved

ACL problem in Catalyst 3550 switch

Posted on 2004-08-29
12
502 Views
Last Modified: 2012-06-21
Hello All,

I have configured RIP2 in catalyst 3550 swich with the following commands

router rip
 version 2
 network 172.16.0.0

I created the following acl and applied to the interfaces

access-list 111  deny udp any eq 137 any eq 137
access-list 111  permit udp any any
access-list 111 permit ip any any

But when this acl is activated the rip stops working. No updation about other switches and routes takes place in this switch. I tried giving

access-list 111 permit udp any eq 520 any eq 520

also. But this also didn't help.

When I applied the same acl to on Cisco 2621 router, it is working perfectly.  Inference is that if I apply an acl with even simple statements like

access-list 111  permit udp any any
access-list 111 permit ip any any

then als this rip updation does not happens. But other switches are able to get the routing information of this switch without problems.

What could be wrong ?

Thanks and regards,

Binu R.

0
Comment
Question by:rbnu
  • 4
  • 3
  • 3
  • +2
12 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11926759
Just so we're starting on the same page...

Is this a 3550 SMI or EMI?

-dj
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 11926790
I just applied your original ACL 111 to a 3550-EMI configured for RIP version 2. Still getting updates and working fine.

Can you post your config? Maybe there's something else that's causing this behavior.

-Don
0
 

Author Comment

by:rbnu
ID: 11928359
Thank you very much for the response. Our switch is SMI. As I told, I have applied the same configuration in Cisco-2621 router and is working fine. I am giving the current configuration for your reference.

!
version 12.1
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname RoomNo2-3550-24
!
clock timezone GMT 5 30
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
interface FastEthernet0/1
 no ip address
 ip access-group 109 in
!
interface FastEthernet0/2
 no ip address
 ip access-group 109 in
!
interface FastEthernet0/3
 no ip address
 ip access-group 109 in
!
interface FastEthernet0/4
 no ip address
 ip access-group 110 in
!
interface FastEthernet0/5
 no ip address
 ip access-group 109 in
!
interface FastEthernet0/6
 no ip address
 ip access-group 109 in
!
interface FastEthernet0/7
 no ip address
 ip access-group 109 in
!
interface FastEthernet0/8
 no ip address
 ip access-group 110 in
!
interface FastEthernet0/9
 no ip address
 ip access-group 109 in
!
interface FastEthernet0/10
 no ip address
 ip access-group 109 in
!
interface FastEthernet0/11
 no ip address
 ip access-group 110 in
!
interface FastEthernet0/12
 no ip address
 ip access-group 110 in
!
interface FastEthernet0/13
 no ip address
 ip access-group 109 in
!
interface FastEthernet0/14
 no ip address
 ip access-group 110 in
!
interface FastEthernet0/15
 no ip address
 ip access-group 111 in
!
interface FastEthernet0/16
 no ip address
 ip access-group 111 in
!
interface FastEthernet0/17
 no ip address
 ip access-group 110 in
!
interface FastEthernet0/18
 no ip address
 ip access-group 111 in
!
interface FastEthernet0/19
 no ip address
 ip access-group 110 in
!
interface FastEthernet0/20
 no ip address
 ip access-group 110 in
!
interface FastEthernet0/21
 no ip address
 ip access-group 110 in
!
interface FastEthernet0/22
 no ip address
 ip access-group 110 in
!
interface FastEthernet0/23
 no ip address
!
interface FastEthernet0/24
 no ip address
!
interface GigabitEthernet0/1
 no ip address
 ip access-group 111 in
 no cdp enable
!
interface GigabitEthernet0/2
 no ip address
 ip access-group 111 in
!
interface Vlan1
 ip address 172.16.128.2 255.255.255.0
!
interface Vlan401
ip address 172.16.138.126 255.255.255.128
!
interface Vlan402
ip address 172.16.138.254 255.255.255.128
!
router rip
 version 2
 network 172.16.0.0
 neighbor 172.16.128.254
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.128.254
ip http server
!
!
logging facility local6
logging 172.16.10.249
access-list 109 deny   udp any any eq 135
access-list 109 deny   udp any any eq netbios-ns
access-list 109 deny   udp any any eq netbios-dgm
access-list 109 deny   udp any any eq netbios-ss
access-list 109 deny   udp any any eq 4444
access-list 109 deny   udp any any eq 34012
access-list 109 deny   udp any eq 1037 any
access-list 109 deny   udp any any eq 2301
access-list 109 permit ip any any
access-list 110 deny   udp any any eq 135
access-list 110 deny   udp any any eq 4444
access-list 110 deny   udp any any eq 34012
access-list 110 deny   udp any eq 1037 any
access-list 110 deny   udp any any eq 2301
access-list 110 permit ip any any
access-list 111 permit udp any any eq rip
access-list 111 permit ip any any
access-list 113 permit tcp any any eq domain
access-list 113 permit tcp any any eq smtp
access-list 113 permit tcp any any eq www
access-list 113 permit tcp host 203.197.150.87 any
access-list 113 permit icmp host 203.197.150.87 any
access-list 113 permit icmp any host 203.197.150.87
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
end


Thanks and regards,

Binu R.
0
 
LVL 1

Expert Comment

by:stealth188
ID: 11934649
I think you want to apply your access-group comands to the vlan interfaces.  Think about it, if you put an access-list on an interface that doesn't have an ip address how is the device going to know what to do?  If you take the groups off of the physical interfaces and put them on the vlan interfaces I think you will be in good shape.
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 250 total points
ID: 11936829
I'm pretty sure the SMI version of code can't do any dynamic routing (RIP, IGRP, etc.).


-Don
0
 
LVL 1

Expert Comment

by:stealth188
ID: 11937328
Yes, there is support for basic IP unicast routing via Static and RIPv1/v2 using the SMI. The EMI provides advanced IP unicast and multicast routing. These advanced routing protocols are Open Shortest Path Routing Protocol (OSPF), Interior Gateway Routing Protocol (IGRP), Enhanced Interior Gateway Routing Protocol (EIGRP), BGP version 4 (BGPv4), Protocol Independent Multicast (PIM), and PBR.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11945399
I think Stealth188 is right. You need to apply the access-group commands to the VLAN interfaces, not the physical interfaces.
0
 

Author Comment

by:rbnu
ID: 11948646

Thanks all for the response. I have been using access lists in physical interfaces for long time and was giving exact results as expected. Even if I write the same ACL in our CISCO 2621 router and apply to the physical interfaces, again, it is able to get RIP updates.

In Catalyst 3550, if I write acl, upd traffic to port 137/138 are shown properly if I enable upd debugging. But port 520 traffic are not at all seen, even when I write a two line acl like

access-list 111 permit udp any any
access-list 111 permit ip any any

Another point is, if  I write

access-list 111 deny udp any any eq 137

the udp traffic to port 137 are suppressed also. (With the ACL applied to the physical interfaces.) So I doubt  it cannot be a problem with applying the acl to the physical interface.

Any other clue ?

Thanks and regards,

Binu R.
0
 
LVL 1

Expert Comment

by:stealth188
ID: 11948925
If you remove the access-group from all the physical interfaces do you receive the updates?
0
 

Author Comment

by:rbnu
ID: 11949449
Yes Defenitely. I am getting the updates. Once I apply an ACL even with a single line upd permit, or ip permit, the updates stops working !!

Rds,

Binu R.
0
 
LVL 3

Expert Comment

by:fatlad
ID: 11950235
There used to be a nice clear difference between a switch PORT and a layer 3 router INTERFACE (be it physical or a logical VLAN). When IOS was put on to switches this was blurred somewhat.


ACLs should only be placed on Interfaces and not ports (trust us!).
0
 
LVL 1

Assisted Solution

by:stealth188
stealth188 earned 250 total points
ID: 11953151
Amen fatlad
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Watchguard Firewall Setup 3 32
Website Routing Issue 3 34
Transfer IOS from server to router via tftp 3 20
iPad Won't Connect 16 42
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now