averyb
asked on
Cisco 3560 access-list anomaly
We have several VLANS setup on our 3560 switch.
Everything is working, but the strange thing is that each ace isn't incrementing as traffic is processed against it.
Any comments?
Running 12.2 IOS.
Everything is working, but the strange thing is that each ace isn't incrementing as traffic is processed against it.
Any comments?
Running 12.2 IOS.
You could provide the config and the output of "show access-list"
Have you actually applied the acl to the appropriate vlan?
ASKER
Here's the config
I removed several lines related to which ports are on which VLAN.
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 3560
!
no logging console
enable secret 5 $1$XWhF$F9woAFcfR7hXkIINHa ozN/
!
no aaa new-model
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
description uplink to FW
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
!
<Lines removed>
!
interface FastEthernet0/13
switchport access vlan 110
switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/19
switchport access vlan 111
switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/25
switchport access vlan 112
switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/31
switchport access vlan 113
switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/37
switchport access vlan 114
switchport mode access
shutdown
!
<Lines removed>
!
interface FastEthernet0/43
switchport access vlan 115
switchport mode access
shutdown
!
<Lines Removed>
!
interface GigabitEthernet0/1
shutdown
!
<Lines removed>
interface Vlan1
ip address 192.168.1.2 255.255.255.252
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in
!
interface Vlan110
ip address 192.168.110.1 255.255.255.0
ip access-group 110 in
ip helper-address 192.168.100.3
!
interface Vlan111
ip address 192.168.111.1 255.255.255.0
ip access-group 111 in
ip helper-address 192.168.100.3
!
interface Vlan112
ip address 192.168.112.1 255.255.255.0
ip access-group 112 in
ip helper-address 192.168.100.3
!
interface Vlan113
ip address 192.168.113.1 255.255.255.0
ip access-group 113 in
ip helper-address 192.168.100.3
!
interface Vlan114
ip address 192.168.114.1 255.255.255.0
ip helper-address 192.168.100.3
shutdown
!
interface Vlan115
ip address 192.168.115.1 255.255.255.0
ip helper-address 192.168.100.3
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
!
access-list 100 permit icmp any any
access-list 100 permit ip host 192.168.100.1 host 192.168.110.1
access-list 100 permit ip host 192.168.100.3 host 192.168.110.1
access-list 100 permit ip host 192.168.100.1 host 192.168.111.1
access-list 100 permit ip host 192.168.100.3 host 192.168.111.1
access-list 100 permit ip host 192.168.100.1 host 192.168.112.1
access-list 100 permit ip host 192.168.100.3 host 192.168.112.1
access-list 100 permit ip host 192.168.100.1 host 192.168.113.1
access-list 100 permit ip host 192.168.100.3 host 192.168.113.1
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any any eq bootpc
access-list 100 permit tcp any any eq ftp-data
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq 3389
access-list 100 permit tcp any any eq 2000
access-list 100 permit ip host 192.168.100.151 any
access-list 100 permit ip host 192.168.100.152 any
access-list 100 permit ip any 192.168.111.32 0.0.0.31
access-list 100 permit ip any 192.168.112.32 0.0.0.31
access-list 100 permit ip any 192.168.113.32 0.0.0.31
access-list 100 permit ip host 192.168.100.3 host 192.168.111.10
access-list 100 permit ip host 192.168.100.3 host 192.168.112.10
access-list 100 permit ip host 192.168.100.3 host 192.168.113.10
access-list 100 permit ip host 192.168.100.4 host 192.168.111.10
access-list 100 permit ip host 192.168.100.4 host 192.168.112.10
access-list 100 permit ip host 192.168.100.4 host 192.168.113.10
access-list 100 permit ip host 192.168.100.240 host 192.168.111.10
access-list 100 permit ip host 192.168.100.240 host 192.168.112.10
access-list 100 permit ip host 192.168.100.240 host 192.168.113.10
access-list 100 deny ip any 192.168.111.0 0.0.0.255
access-list 100 deny ip any 192.168.112.0 0.0.0.255
access-list 100 deny ip any 192.168.113.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip any any
access-list 111 permit icmp any any
access-list 111 permit ip host 192.168.111.1 host 192.168.100.1
access-list 111 permit ip host 192.168.111.1 host 192.168.100.3
access-list 111 permit udp any any eq bootps
access-list 111 permit udp any any eq bootpc
access-list 111 permit ip any 192.168.10.240 0.0.0.7
access-list 111 permit ip any 192.168.10.248 0.0.0.3
access-list 111 permit ip 192.168.111.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 7609
access-list 111 permit tcp any any eq ftp-data
access-list 111 permit tcp any eq ftp-data any
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any eq ftp any
access-list 111 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 111 permit ip host 192.168.111.10 host 192.168.100.240
access-list 111 permit ip host 192.168.111.10 host 192.168.100.3
access-list 111 permit tcp host 192.168.111.10 any eq smtp
access-list 111 permit tcp host 192.168.111.10 eq smtp any
access-list 111 permit tcp host 192.168.111.10 any eq 7609
access-list 111 deny tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq www
access-list 111 deny tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq www
access-list 111 deny tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq 8080
access-list 111 deny tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq 8080
access-list 111 deny tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq 443
access-list 111 deny tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq 443
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq www
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 8080
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 443
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
access-list 111 permit tcp host 192.168.111.10 any eq www
access-list 111 permit tcp host 192.168.111.10 any eq 8080
access-list 111 permit tcp host 192.168.111.10 any eq 443
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq www
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 8080
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 443
access-list 111 permit ip 192.168.111.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 112 permit icmp any any
access-list 112 permit ip host 192.168.112.1 host 192.168.100.1
access-list 112 permit ip host 192.168.112.1 host 192.168.100.3
access-list 112 permit udp any any eq bootps
access-list 112 permit udp any any eq bootpc
access-list 112 permit ip any 192.168.10.240 0.0.0.7
access-list 112 permit ip any 192.168.10.248 0.0.0.3
access-list 112 permit ip 192.168.112.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 7609
access-list 112 permit tcp any any eq ftp-data
access-list 112 permit tcp any eq ftp-data any
access-list 112 permit tcp any any eq ftp
access-list 112 permit tcp any eq ftp any
access-list 112 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 112 permit ip host 192.168.112.10 host 192.168.100.240
access-list 112 permit ip host 192.168.112.10 host 192.168.100.3
access-list 112 permit tcp host 192.168.112.10 any eq smtp
access-list 112 permit tcp host 192.168.112.10 eq smtp any
access-list 112 permit tcp host 192.168.112.10 any eq 7609
access-list 112 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq www
access-list 112 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq www
access-list 112 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 8080
access-list 112 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 8080
access-list 112 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 443
access-list 112 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 443
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
access-list 112 permit tcp host 192.168.112.10 any eq www
access-list 112 permit tcp host 192.168.112.10 any eq 8080
access-list 112 permit tcp host 192.168.112.10 any eq 443
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq www
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 8080
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 443
access-list 112 permit ip 192.168.112.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 113 permit icmp any any
access-list 113 permit ip host 192.168.113.1 host 192.168.100.1
access-list 113 permit ip host 192.168.113.1 host 192.168.100.3
access-list 113 permit udp any any eq bootps
access-list 113 permit udp any any eq bootpc
access-list 113 permit ip any 192.168.10.240 0.0.0.7
access-list 113 permit ip any 192.168.10.248 0.0.0.3
access-list 113 permit ip 192.168.113.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 7609
access-list 113 permit tcp any any eq ftp-data
access-list 113 permit tcp any eq ftp-data any
access-list 113 permit tcp any any eq ftp
access-list 113 permit tcp any eq ftp any
access-list 113 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 113 permit ip host 192.168.113.10 host 192.168.100.240
access-list 113 permit ip host 192.168.113.10 host 192.168.100.3
access-list 113 permit tcp host 192.168.113.10 any eq smtp
access-list 113 permit tcp host 192.168.113.10 eq smtp any
access-list 113 permit tcp host 192.168.113.10 any eq 7609
access-list 113 deny tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq www
access-list 113 deny tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq www
access-list 113 deny tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq 8080
access-list 113 deny tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq 8080
access-list 113 deny tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq 443
access-list 113 deny tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq 443
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq www
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 8080
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 443
access-list 113 permit tcp host 192.168.113.10 any eq www
access-list 113 permit tcp host 192.168.113.10 any eq 8080
access-list 113 permit tcp host 192.168.113.10 any eq 443
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq www
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 8080
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 443
access-list 113 permit ip 192.168.113.0 0.0.0.255 192.168.110.0 0.0.0.255
!
control-plane
!
!
line con 0
line vty 0 4
password 7 005403030A695B070B32
login
line vty 5 15
no login
!
!
end
I removed several lines related to which ports are on which VLAN.
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname 3560
!
no logging console
enable secret 5 $1$XWhF$F9woAFcfR7hXkIINHa
!
no aaa new-model
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
description uplink to FW
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 100
switchport mode access
!
<Lines removed>
!
interface FastEthernet0/13
switchport access vlan 110
switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/19
switchport access vlan 111
switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/25
switchport access vlan 112
switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/31
switchport access vlan 113
switchport mode access
!
<Lines Removed>
!
interface FastEthernet0/37
switchport access vlan 114
switchport mode access
shutdown
!
<Lines removed>
!
interface FastEthernet0/43
switchport access vlan 115
switchport mode access
shutdown
!
<Lines Removed>
!
interface GigabitEthernet0/1
shutdown
!
<Lines removed>
interface Vlan1
ip address 192.168.1.2 255.255.255.252
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in
!
interface Vlan110
ip address 192.168.110.1 255.255.255.0
ip access-group 110 in
ip helper-address 192.168.100.3
!
interface Vlan111
ip address 192.168.111.1 255.255.255.0
ip access-group 111 in
ip helper-address 192.168.100.3
!
interface Vlan112
ip address 192.168.112.1 255.255.255.0
ip access-group 112 in
ip helper-address 192.168.100.3
!
interface Vlan113
ip address 192.168.113.1 255.255.255.0
ip access-group 113 in
ip helper-address 192.168.100.3
!
interface Vlan114
ip address 192.168.114.1 255.255.255.0
ip helper-address 192.168.100.3
shutdown
!
interface Vlan115
ip address 192.168.115.1 255.255.255.0
ip helper-address 192.168.100.3
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
no ip http server
!
!
access-list 100 permit icmp any any
access-list 100 permit ip host 192.168.100.1 host 192.168.110.1
access-list 100 permit ip host 192.168.100.3 host 192.168.110.1
access-list 100 permit ip host 192.168.100.1 host 192.168.111.1
access-list 100 permit ip host 192.168.100.3 host 192.168.111.1
access-list 100 permit ip host 192.168.100.1 host 192.168.112.1
access-list 100 permit ip host 192.168.100.3 host 192.168.112.1
access-list 100 permit ip host 192.168.100.1 host 192.168.113.1
access-list 100 permit ip host 192.168.100.3 host 192.168.113.1
access-list 100 permit udp any any eq bootps
access-list 100 permit udp any any eq bootpc
access-list 100 permit tcp any any eq ftp-data
access-list 100 permit tcp any eq ftp-data any
access-list 100 permit tcp any any eq ftp
access-list 100 permit tcp any eq ftp any
access-list 100 permit tcp any any eq 3389
access-list 100 permit tcp any any eq 2000
access-list 100 permit ip host 192.168.100.151 any
access-list 100 permit ip host 192.168.100.152 any
access-list 100 permit ip any 192.168.111.32 0.0.0.31
access-list 100 permit ip any 192.168.112.32 0.0.0.31
access-list 100 permit ip any 192.168.113.32 0.0.0.31
access-list 100 permit ip host 192.168.100.3 host 192.168.111.10
access-list 100 permit ip host 192.168.100.3 host 192.168.112.10
access-list 100 permit ip host 192.168.100.3 host 192.168.113.10
access-list 100 permit ip host 192.168.100.4 host 192.168.111.10
access-list 100 permit ip host 192.168.100.4 host 192.168.112.10
access-list 100 permit ip host 192.168.100.4 host 192.168.113.10
access-list 100 permit ip host 192.168.100.240 host 192.168.111.10
access-list 100 permit ip host 192.168.100.240 host 192.168.112.10
access-list 100 permit ip host 192.168.100.240 host 192.168.113.10
access-list 100 deny ip any 192.168.111.0 0.0.0.255
access-list 100 deny ip any 192.168.112.0 0.0.0.255
access-list 100 deny ip any 192.168.113.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip any any
access-list 111 permit icmp any any
access-list 111 permit ip host 192.168.111.1 host 192.168.100.1
access-list 111 permit ip host 192.168.111.1 host 192.168.100.3
access-list 111 permit udp any any eq bootps
access-list 111 permit udp any any eq bootpc
access-list 111 permit ip any 192.168.10.240 0.0.0.7
access-list 111 permit ip any 192.168.10.248 0.0.0.3
access-list 111 permit ip 192.168.111.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 7609
access-list 111 permit tcp any any eq ftp-data
access-list 111 permit tcp any eq ftp-data any
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any eq ftp any
access-list 111 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 111 permit ip host 192.168.111.10 host 192.168.100.240
access-list 111 permit ip host 192.168.111.10 host 192.168.100.3
access-list 111 permit tcp host 192.168.111.10 any eq smtp
access-list 111 permit tcp host 192.168.111.10 eq smtp any
access-list 111 permit tcp host 192.168.111.10 any eq 7609
access-list 111 deny tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq www
access-list 111 deny tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq www
access-list 111 deny tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq 8080
access-list 111 deny tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq 8080
access-list 111 deny tcp host 192.168.111.10 192.168.112.0 0.0.0.255 eq 443
access-list 111 deny tcp host 192.168.111.10 192.168.113.0 0.0.0.255 eq 443
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq www
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 8080
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 443
access-list 111 deny tcp 192.168.111.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
access-list 111 permit tcp host 192.168.111.10 any eq www
access-list 111 permit tcp host 192.168.111.10 any eq 8080
access-list 111 permit tcp host 192.168.111.10 any eq 443
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq www
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 8080
access-list 111 permit tcp 192.168.111.32 0.0.0.31 any eq 443
access-list 111 permit ip 192.168.111.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 112 permit icmp any any
access-list 112 permit ip host 192.168.112.1 host 192.168.100.1
access-list 112 permit ip host 192.168.112.1 host 192.168.100.3
access-list 112 permit udp any any eq bootps
access-list 112 permit udp any any eq bootpc
access-list 112 permit ip any 192.168.10.240 0.0.0.7
access-list 112 permit ip any 192.168.10.248 0.0.0.3
access-list 112 permit ip 192.168.112.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 7609
access-list 112 permit tcp any any eq ftp-data
access-list 112 permit tcp any eq ftp-data any
access-list 112 permit tcp any any eq ftp
access-list 112 permit tcp any eq ftp any
access-list 112 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 112 permit ip host 192.168.112.10 host 192.168.100.240
access-list 112 permit ip host 192.168.112.10 host 192.168.100.3
access-list 112 permit tcp host 192.168.112.10 any eq smtp
access-list 112 permit tcp host 192.168.112.10 eq smtp any
access-list 112 permit tcp host 192.168.112.10 any eq 7609
access-list 112 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq www
access-list 112 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq www
access-list 112 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 8080
access-list 112 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 8080
access-list 112 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 443
access-list 112 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 443
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
access-list 112 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
access-list 112 permit tcp host 192.168.112.10 any eq www
access-list 112 permit tcp host 192.168.112.10 any eq 8080
access-list 112 permit tcp host 192.168.112.10 any eq 443
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq www
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 8080
access-list 112 permit tcp 192.168.112.32 0.0.0.31 any eq 443
access-list 112 permit ip 192.168.112.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 113 permit icmp any any
access-list 113 permit ip host 192.168.113.1 host 192.168.100.1
access-list 113 permit ip host 192.168.113.1 host 192.168.100.3
access-list 113 permit udp any any eq bootps
access-list 113 permit udp any any eq bootpc
access-list 113 permit ip any 192.168.10.240 0.0.0.7
access-list 113 permit ip any 192.168.10.248 0.0.0.3
access-list 113 permit ip 192.168.113.32 0.0.0.31 192.168.100.0 0.0.0.255
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 7609
access-list 113 permit tcp any any eq ftp-data
access-list 113 permit tcp any eq ftp-data any
access-list 113 permit tcp any any eq ftp
access-list 113 permit tcp any eq ftp any
access-list 113 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
access-list 113 permit ip host 192.168.113.10 host 192.168.100.240
access-list 113 permit ip host 192.168.113.10 host 192.168.100.3
access-list 113 permit tcp host 192.168.113.10 any eq smtp
access-list 113 permit tcp host 192.168.113.10 eq smtp any
access-list 113 permit tcp host 192.168.113.10 any eq 7609
access-list 113 deny tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq www
access-list 113 deny tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq www
access-list 113 deny tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq 8080
access-list 113 deny tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq 8080
access-list 113 deny tcp host 192.168.113.10 192.168.111.0 0.0.0.255 eq 443
access-list 113 deny tcp host 192.168.113.10 192.168.112.0 0.0.0.255 eq 443
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq www
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 8080
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
access-list 113 deny tcp 192.168.113.32 0.0.0.31 192.168.112.0 0.0.0.255 eq 443
access-list 113 permit tcp host 192.168.113.10 any eq www
access-list 113 permit tcp host 192.168.113.10 any eq 8080
access-list 113 permit tcp host 192.168.113.10 any eq 443
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq www
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 8080
access-list 113 permit tcp 192.168.113.32 0.0.0.31 any eq 443
access-list 113 permit ip 192.168.113.0 0.0.0.255 192.168.110.0 0.0.0.255
!
control-plane
!
!
line con 0
line vty 0 4
password 7 005403030A695B070B32
login
line vty 5 15
no login
!
!
end
ASKER
show access-list 112
Extended IP access list 112
10 permit icmp any any (4 matches)
20 permit ip host 192.168.112.1 host 192.168.100.1
30 permit ip host 192.168.112.1 host 192.168.100.3
40 permit udp any any eq bootps (20 matches)
50 permit udp any any eq bootpc
60 permit ip any 192.168.10.240 0.0.0.7
70 permit ip any 192.168.10.248 0.0.0.3
80 permit ip 192.168.112.32 0.0.0.31 192.168.100.0 0.0.0.255
90 permit tcp 192.168.112.32 0.0.0.31 any eq 7609
100 permit tcp any any eq ftp-data
110 permit tcp any eq ftp-data any
120 permit tcp any any eq ftp
130 permit tcp any eq ftp any
140 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
150 permit ip host 192.168.112.10 host 192.168.100.240
160 permit ip host 192.168.112.10 host 192.168.100.3
170 permit tcp host 192.168.112.10 any eq smtp
180 permit tcp host 192.168.112.10 eq smtp any
190 permit tcp host 192.168.112.10 any eq 7609
200 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq www
210 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq www
220 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 8080
230 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 8080
240 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 443
250 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 443
260 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
270 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
280 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
290 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
300 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
310 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
320 permit tcp host 192.168.112.10 any eq www
330 permit tcp host 192.168.112.10 any eq 8080
340 permit tcp host 192.168.112.10 any eq 443
350 permit tcp 192.168.112.32 0.0.0.31 any eq www
360 permit tcp 192.168.112.32 0.0.0.31 any eq 8080
370 permit tcp 192.168.112.32 0.0.0.31 any eq 443
380 permit ip 192.168.112.0 0.0.0.255 192.168.110.0 0.0.0.255 (58 matches)
Show access-list 100
Extended IP access list 100
10 permit icmp any any
20 permit ip host 192.168.100.1 host 192.168.110.1
30 permit ip host 192.168.100.3 host 192.168.110.1 (1 match)
40 permit ip host 192.168.100.1 host 192.168.111.1
50 permit ip host 192.168.100.3 host 192.168.111.1
60 permit ip host 192.168.100.1 host 192.168.112.1
70 permit ip host 192.168.100.3 host 192.168.112.1
80 permit ip host 192.168.100.1 host 192.168.113.1
90 permit ip host 192.168.100.3 host 192.168.113.1
100 permit udp any any eq bootps (98 matches)
110 permit udp any any eq bootpc (69 matches)
120 permit tcp any any eq ftp-data
130 permit tcp any eq ftp-data any
140 permit tcp any any eq ftp
150 permit tcp any eq ftp any
160 permit tcp any any eq 3389
170 permit tcp any any eq 2000
180 permit ip host 192.168.100.151 any
190 permit ip host 192.168.100.152 any
200 permit ip any 192.168.111.32 0.0.0.31
210 permit ip any 192.168.112.32 0.0.0.31
220 permit ip any 192.168.113.32 0.0.0.31
230 permit ip host 192.168.100.3 host 192.168.111.10
240 permit ip host 192.168.100.3 host 192.168.112.10
250 permit ip host 192.168.100.3 host 192.168.113.10
260 permit ip host 192.168.100.4 host 192.168.111.10
270 permit ip host 192.168.100.4 host 192.168.112.10
280 permit ip host 192.168.100.4 host 192.168.113.10
290 permit ip host 192.168.100.240 host 192.168.111.10
300 permit ip host 192.168.100.240 host 192.168.112.10
310 permit ip host 192.168.100.240 host 192.168.113.10
320 deny ip any 192.168.111.0 0.0.0.255
330 deny ip any 192.168.112.0 0.0.0.255 (6 matches)
340 deny ip any 192.168.113.0 0.0.0.255
350 permit ip any any (3522 matches)
Now I ping to a server on VLAN 112 from the switch itself--
Only difference on show access-list 100 is line 350.
Only difference on show access-list 112 is line 10 which is expected.
Now I ping to a server on VLAN 112 from a server on VLAN 100--
Nothing on access-list 112 increments at all. Only line 350 increments on access-list 100.
Note: There is a good bit of traffic present on the network with would cause line 350 on access-list 100 to increment. The incrementing on that ace might be totally unrelated to the ping traffic.
If I ftp from VLAN 100 to VLAN 112
Extended IP access list 112
10 permit icmp any any (4 matches)
20 permit ip host 192.168.112.1 host 192.168.100.1
30 permit ip host 192.168.112.1 host 192.168.100.3
40 permit udp any any eq bootps (20 matches)
50 permit udp any any eq bootpc
60 permit ip any 192.168.10.240 0.0.0.7
70 permit ip any 192.168.10.248 0.0.0.3
80 permit ip 192.168.112.32 0.0.0.31 192.168.100.0 0.0.0.255
90 permit tcp 192.168.112.32 0.0.0.31 any eq 7609
100 permit tcp any any eq ftp-data
110 permit tcp any eq ftp-data any
120 permit tcp any any eq ftp
130 permit tcp any eq ftp any
140 permit tcp any 192.168.100.0 0.0.0.255 eq 3389
150 permit ip host 192.168.112.10 host 192.168.100.240
160 permit ip host 192.168.112.10 host 192.168.100.3
170 permit tcp host 192.168.112.10 any eq smtp
180 permit tcp host 192.168.112.10 eq smtp any
190 permit tcp host 192.168.112.10 any eq 7609
200 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq www
210 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq www
220 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 8080
230 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 8080
240 deny tcp host 192.168.112.10 192.168.111.0 0.0.0.255 eq 443
250 deny tcp host 192.168.112.10 192.168.113.0 0.0.0.255 eq 443
260 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq www
270 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq www
280 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 8080
290 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 8080
300 deny tcp 192.168.112.32 0.0.0.31 192.168.111.0 0.0.0.255 eq 443
310 deny tcp 192.168.112.32 0.0.0.31 192.168.113.0 0.0.0.255 eq 443
320 permit tcp host 192.168.112.10 any eq www
330 permit tcp host 192.168.112.10 any eq 8080
340 permit tcp host 192.168.112.10 any eq 443
350 permit tcp 192.168.112.32 0.0.0.31 any eq www
360 permit tcp 192.168.112.32 0.0.0.31 any eq 8080
370 permit tcp 192.168.112.32 0.0.0.31 any eq 443
380 permit ip 192.168.112.0 0.0.0.255 192.168.110.0 0.0.0.255 (58 matches)
Show access-list 100
Extended IP access list 100
10 permit icmp any any
20 permit ip host 192.168.100.1 host 192.168.110.1
30 permit ip host 192.168.100.3 host 192.168.110.1 (1 match)
40 permit ip host 192.168.100.1 host 192.168.111.1
50 permit ip host 192.168.100.3 host 192.168.111.1
60 permit ip host 192.168.100.1 host 192.168.112.1
70 permit ip host 192.168.100.3 host 192.168.112.1
80 permit ip host 192.168.100.1 host 192.168.113.1
90 permit ip host 192.168.100.3 host 192.168.113.1
100 permit udp any any eq bootps (98 matches)
110 permit udp any any eq bootpc (69 matches)
120 permit tcp any any eq ftp-data
130 permit tcp any eq ftp-data any
140 permit tcp any any eq ftp
150 permit tcp any eq ftp any
160 permit tcp any any eq 3389
170 permit tcp any any eq 2000
180 permit ip host 192.168.100.151 any
190 permit ip host 192.168.100.152 any
200 permit ip any 192.168.111.32 0.0.0.31
210 permit ip any 192.168.112.32 0.0.0.31
220 permit ip any 192.168.113.32 0.0.0.31
230 permit ip host 192.168.100.3 host 192.168.111.10
240 permit ip host 192.168.100.3 host 192.168.112.10
250 permit ip host 192.168.100.3 host 192.168.113.10
260 permit ip host 192.168.100.4 host 192.168.111.10
270 permit ip host 192.168.100.4 host 192.168.112.10
280 permit ip host 192.168.100.4 host 192.168.113.10
290 permit ip host 192.168.100.240 host 192.168.111.10
300 permit ip host 192.168.100.240 host 192.168.112.10
310 permit ip host 192.168.100.240 host 192.168.113.10
320 deny ip any 192.168.111.0 0.0.0.255
330 deny ip any 192.168.112.0 0.0.0.255 (6 matches)
340 deny ip any 192.168.113.0 0.0.0.255
350 permit ip any any (3522 matches)
Now I ping to a server on VLAN 112 from the switch itself--
Only difference on show access-list 100 is line 350.
Only difference on show access-list 112 is line 10 which is expected.
Now I ping to a server on VLAN 112 from a server on VLAN 100--
Nothing on access-list 112 increments at all. Only line 350 increments on access-list 100.
Note: There is a good bit of traffic present on the network with would cause line 350 on access-list 100 to increment. The incrementing on that ace might be totally unrelated to the ping traffic.
If I ftp from VLAN 100 to VLAN 112
ASKER
Ignore the last line in the previous post.
>Now I ping to a server on VLAN 112 from the switch itself
I wouldn't expect anything on access-list 100 since you are probably pinging from the interface address of vlan 112
>Now I ping to a server on VLAN 112 from a server on VLAN 100
Not sure about this one. Are you running SM or SM software? Can you do a show version please? It may be that access-list counters are buggy. One test would be to add a line 5 denying icmp between the 2 test servers on vlan 100 and see if it blocks it.
I wouldn't expect anything on access-list 100 since you are probably pinging from the interface address of vlan 112
>Now I ping to a server on VLAN 112 from a server on VLAN 100
Not sure about this one. Are you running SM or SM software? Can you do a show version please? It may be that access-list counters are buggy. One test would be to add a line 5 denying icmp between the 2 test servers on vlan 100 and see if it blocks it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.