Link to home
Start Free TrialLog in
Avatar of averyb
averybFlag for United States of America

asked on

Cisco 3560 access-list anomaly

We have several VLANS setup on our 3560 switch.

Everything is working, but the strange thing is that each ace isn't incrementing as traffic is processed against it.

Any comments?

Running 12.2 IOS.
Avatar of mikebernhardt
mikebernhardt
Flag of United States of America image

You could provide the config and the output of "show access-list"
Avatar of Les Moore
Have you actually applied the acl to the appropriate vlan?
Avatar of averyb

ASKER

Here's the config
I removed several lines related to which ports are on which VLAN.

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 3560
!
no logging console
enable secret 5 $1$XWhF$F9woAFcfR7hXkIINHaozN/
!
no aaa new-model
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
 description uplink to FW
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 100
 switchport mode access
!
<Lines removed>
!
interface FastEthernet0/13
 switchport access vlan 110
 switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/19
 switchport access vlan 111
 switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/25
 switchport access vlan 112
 switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/31
 switchport access vlan 113
 switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/37
 switchport access vlan 114
 switchport mode access
 shutdown
!
<Lines removed>
!
interface FastEthernet0/43
 switchport access vlan 115
 switchport mode access
 shutdown
!
<Lines Removed>
!
interface GigabitEthernet0/1
 shutdown
!
<Lines removed>

interface Vlan1
 ip address 192.168.1.2 255.255.255.252
!
interface Vlan100
 ip address 192.168.100.1 255.255.255.0
 ip access-group 100 in
!
interface Vlan110
 ip address 192.168.110.1 255.255.255.0
 ip access-group 110 in
 ip helper-address 192.168.100.3
!
interface Vlan111
 ip address 192.168.111.1 255.255.255.0
 ip access-group 111 in
 ip helper-address 192.168.100.3
!
interface Vlan112
 ip address 192.168.112.1 255.255.255.0
 ip access-group 112 in
 ip helper-address 192.168.100.3
!
interface Vlan113
 ip address 192.168.113.1 255.255.255.0
 ip access-group 113 in
 ip helper-address 192.168.100.3
!
interface Vlan114
 ip address 192.168.114.1 255.255.255.0
 ip helper-address 192.168.100.3
 shutdown
!
interface Vlan115
 ip address 192.168.115.1 255.255.255.0
 ip helper-address 192.168.100.3
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
!
access-list 100 permit icmp any any
access-list 100 permit ip host 192.168.100.1 host 192.168.110.1
access-list 100 permit ip host 192.168.100.3 host 192.168.110.1
access-list 100 permit ip host 192.168.100.1 host 192.168.111.1
access-list 100 permit ip host 192.168.100.3 host 192.168.111.1
access-list 100 permit ip host 192.168.100.1 host 192.168.112.1
access-list 100 permit ip host 192.168.100.3 host 192.168.112.1
access-list 100 permit ip host 192.168.100.1 host 192.168.113.1
access-list 100 permit ip host 192.168.100.3 host 192.168.113.1
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any any eq bootpc
access-list 100 permit tcp any any eq ftp-data
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq 3389
access-list 100 permit tcp any any eq 2000
access-list 100 permit ip host 192.168.100.151 any
access-list 100 permit ip host 192.168.100.152 any
access-list 100 permit ip any 192.168.111.32 0.0.0.31
access-list 100 permit ip any 192.168.112.32 0.0.0.31
access-list 100 permit ip any 192.168.113.32 0.0.0.31
access-list 100 permit ip host 192.168.100.3 host 192.168.111.10
access-list 100 permit ip host 192.168.100.3 host 192.168.112.10
access-list 100 permit ip host 192.168.100.3 host 192.168.113.10
access-list 100 permit ip host 192.168.100.4 host 192.168.111.10
access-list 100 permit ip host 192.168.100.4 host 192.168.112.10
access-list 100 permit ip host 192.168.100.4 host 192.168.113.10
access-list 100 permit ip host 192.168.100.240 host 192.168.111.10
access-list 100 permit ip host 192.168.100.240 host 192.168.112.10
access-list 100 permit ip host 192.168.100.240 host 192.168.113.10
access-list 100 deny   ip any 192.168.111.0 0.0.0.255
access-list 100 deny   ip any 192.168.112.0 0.0.0.255
access-list 100 deny   ip any 192.168.113.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip any any
access-list 111 permit icmp any any
access-list 111 permit ip host 192.168.111.1 host 192.168.100.1
access-list 111 permit ip host 192.168.111.1 host 192.168.100.3
access-list 111 permit udp any any eq bootps
access-list 111 permit udp any any eq bootpc
access-list 111 permit ip any 192.168.10.240 0.0.0.7
access-list 111 permit ip any 192.168.10.248 0.0.0.3
access-list 111 permit ip 192.168.111.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 7609
access-list 111 permit tcp any any eq ftp-data
access-list 111 permit tcp any eq ftp-data any
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any eq ftp any
access-list 111 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 111 permit ip host 192.168.111.10 host 192.168.100.240
access-list 111 permit ip host 192.168.111.10 host 192.168.100.3
access-list 111 permit tcp host 192.168.111.10 any eq smtp
access-list 111 permit tcp host 192.168.111.10 eq smtp any
access-list 111 permit tcp host 192.168.111.10 any eq 7609
access-list 111 deny   tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq www
access-list 111 deny   tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq www
access-list 111 deny   tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq 8080
access-list 111 deny   tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq 8080
access-list 111 deny   tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq 443
access-list 111 deny   tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq 443
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq www
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 8080
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 443
access-list 111 deny   tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
access-list 111 permit tcp host 192.168.111.10 any eq www
access-list 111 permit tcp host 192.168.111.10 any eq 8080
access-list 111 permit tcp host 192.168.111.10 any eq 443
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq www
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 8080
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 443
access-list 111 permit ip 192.168.111.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 112 permit icmp any any
access-list 112 permit ip host 192.168.112.1 host 192.168.100.1
access-list 112 permit ip host 192.168.112.1 host 192.168.100.3
access-list 112 permit udp any any eq bootps
access-list 112 permit udp any any eq bootpc
access-list 112 permit ip any 192.168.10.240 0.0.0.7
access-list 112 permit ip any 192.168.10.248 0.0.0.3
access-list 112 permit ip 192.168.112.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 7609
access-list 112 permit tcp any any eq ftp-data
access-list 112 permit tcp any eq ftp-data any
access-list 112 permit tcp any any eq ftp
access-list 112 permit tcp any eq ftp any
access-list 112 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 112 permit ip host 192.168.112.10 host 192.168.100.240
access-list 112 permit ip host 192.168.112.10 host 192.168.100.3
access-list 112 permit tcp host 192.168.112.10 any eq smtp
access-list 112 permit tcp host 192.168.112.10 eq smtp any
access-list 112 permit tcp host 192.168.112.10 any eq 7609
access-list 112 deny   tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq www
access-list 112 deny   tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq www
access-list 112 deny   tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 8080
access-list 112 deny   tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 8080
access-list 112 deny   tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 443
access-list 112 deny   tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 443
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
access-list 112 deny   tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
access-list 112 permit tcp host 192.168.112.10 any eq www
access-list 112 permit tcp host 192.168.112.10 any eq 8080
access-list 112 permit tcp host 192.168.112.10 any eq 443
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq www
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 8080
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 443
access-list 112 permit ip 192.168.112.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 113 permit icmp any any
access-list 113 permit ip host 192.168.113.1 host 192.168.100.1
access-list 113 permit ip host 192.168.113.1 host 192.168.100.3
access-list 113 permit udp any any eq bootps
access-list 113 permit udp any any eq bootpc
access-list 113 permit ip any 192.168.10.240 0.0.0.7
access-list 113 permit ip any 192.168.10.248 0.0.0.3
access-list 113 permit ip 192.168.113.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 7609
access-list 113 permit tcp any any eq ftp-data
access-list 113 permit tcp any eq ftp-data any
access-list 113 permit tcp any any eq ftp
access-list 113 permit tcp any eq ftp any
access-list 113 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 113 permit ip host 192.168.113.10 host 192.168.100.240
access-list 113 permit ip host 192.168.113.10 host 192.168.100.3
access-list 113 permit tcp host 192.168.113.10 any eq smtp
access-list 113 permit tcp host 192.168.113.10 eq smtp any
access-list 113 permit tcp host 192.168.113.10 any eq 7609
access-list 113 deny   tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq www
access-list 113 deny   tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq www
access-list 113 deny   tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq 8080
access-list 113 deny   tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq 8080
access-list 113 deny   tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq 443
access-list 113 deny   tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq 443
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq www
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 8080
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
access-list 113 deny   tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 443
access-list 113 permit tcp host 192.168.113.10 any eq www
access-list 113 permit tcp host 192.168.113.10 any eq 8080
access-list 113 permit tcp host 192.168.113.10 any eq 443
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq www
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 8080
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 443
access-list 113 permit ip 192.168.113.0 0.0.0.255 192.168.110.0 0.0.0.255
!
control-plane
!
!
line con 0
line vty 0 4
 password 7 005403030A695B070B32
 login
line vty 5 15
 no login
!
!
end



Avatar of averyb

ASKER

show access-list 112
Extended IP access list 112
    10 permit icmp any any (4 matches)
    20 permit ip host 192.168.112.1 host 192.168.100.1
    30 permit ip host 192.168.112.1 host 192.168.100.3
    40 permit udp any any eq bootps (20 matches)
    50 permit udp any any eq bootpc
    60 permit ip any 192.168.10.240 0.0.0.7
    70 permit ip any 192.168.10.248 0.0.0.3
    80 permit ip 192.168.112.32 0.0.0.31 192.168.100.0 0.0.0.255
    90 permit tcp 192.168.112.32 0.0.0.31 any eq 7609
    100 permit tcp any any eq ftp-data
    110 permit tcp any eq ftp-data any
    120 permit tcp any any eq ftp
    130 permit tcp any eq ftp any
    140 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
    150 permit ip host 192.168.112.10 host 192.168.100.240
    160 permit ip host 192.168.112.10 host 192.168.100.3
    170 permit tcp host 192.168.112.10 any eq smtp
    180 permit tcp host 192.168.112.10 eq smtp any
    190 permit tcp host 192.168.112.10 any eq 7609
    200 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq www
    210 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq www
    220 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 8080
    230 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 8080
    240 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 443
    250 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 443
    260 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
    270 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
    280 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
    290 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
    300 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
    310 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
    320 permit tcp host 192.168.112.10 any eq www
    330 permit tcp host 192.168.112.10 any eq 8080
    340 permit tcp host 192.168.112.10 any eq 443
    350 permit tcp 192.168.112.32 0.0.0.31 any eq www
    360 permit tcp 192.168.112.32 0.0.0.31 any eq 8080
    370 permit tcp 192.168.112.32 0.0.0.31 any eq 443
    380 permit ip 192.168.112.0 0.0.0.255 192.168.110.0 0.0.0.255 (58 matches)

Show access-list 100
Extended IP access list 100
    10 permit icmp any any
    20 permit ip host 192.168.100.1 host 192.168.110.1
    30 permit ip host 192.168.100.3 host 192.168.110.1 (1 match)
    40 permit ip host 192.168.100.1 host 192.168.111.1
    50 permit ip host 192.168.100.3 host 192.168.111.1
    60 permit ip host 192.168.100.1 host 192.168.112.1
    70 permit ip host 192.168.100.3 host 192.168.112.1
    80 permit ip host 192.168.100.1 host 192.168.113.1
    90 permit ip host 192.168.100.3 host 192.168.113.1
    100 permit udp any any eq bootps (98 matches)
    110 permit udp any any eq bootpc (69 matches)
    120 permit tcp any any eq ftp-data
    130 permit tcp any eq ftp-data any
    140 permit tcp any any eq ftp
    150 permit tcp any eq ftp any
    160 permit tcp any any eq 3389
    170 permit tcp any any eq 2000
    180 permit ip host 192.168.100.151 any
    190 permit ip host 192.168.100.152 any
    200 permit ip any 192.168.111.32 0.0.0.31
    210 permit ip any 192.168.112.32 0.0.0.31
    220 permit ip any 192.168.113.32 0.0.0.31
    230 permit ip host 192.168.100.3 host 192.168.111.10
    240 permit ip host 192.168.100.3 host 192.168.112.10
    250 permit ip host 192.168.100.3 host 192.168.113.10
    260 permit ip host 192.168.100.4 host 192.168.111.10
    270 permit ip host 192.168.100.4 host 192.168.112.10
    280 permit ip host 192.168.100.4 host 192.168.113.10
    290 permit ip host 192.168.100.240 host 192.168.111.10
    300 permit ip host 192.168.100.240 host 192.168.112.10
    310 permit ip host 192.168.100.240 host 192.168.113.10
    320 deny ip any 192.168.111.0 0.0.0.255
    330 deny ip any 192.168.112.0 0.0.0.255 (6 matches)
    340 deny ip any 192.168.113.0 0.0.0.255
    350 permit ip any any (3522 matches)

Now I ping to a server on VLAN 112 from the switch itself--
Only difference on show access-list 100 is line 350.  
Only difference on show access-list 112 is line 10 which is expected.

Now I ping to a server on VLAN 112 from a server on VLAN 100--
Nothing on access-list 112 increments at all.  Only line 350 increments on access-list 100.

Note: There is a good bit of traffic present on the network with would cause line 350 on access-list 100 to increment.  The incrementing on that ace might be totally unrelated to the ping traffic.

If I ftp from VLAN 100 to VLAN 112
Avatar of averyb

ASKER

Ignore the last line in the previous post.
>Now I ping to a server on VLAN 112 from the switch itself
 I wouldn't expect anything on access-list 100 since you are probably pinging from the interface address of vlan 112

>Now I ping to a server on VLAN 112 from a server on VLAN 100
 Not sure about this one. Are you running SM or SM software? Can you do a show version please? It may be that access-list counters are buggy. One test would be to add a line  5 denying icmp between the 2 test servers on vlan 100 and see if it blocks it.
ASKER CERTIFIED SOLUTION
Avatar of pjtemplin
pjtemplin

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial