[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Cisco VLAN ACL problems

Posted on 2010-04-05
2
Medium Priority
?
739 Views
Last Modified: 2012-05-09
Hi,

I have a VLAN defined that I'm using ACLs to control the inbound / outbound traffic.  My current problem is allowing DNS traffic back in.  I THINK i have the rule necessary to allow this but it is still showing denied in my logging by the access list (102) where my rule is.  Below is the relevant config:

spidra#sho ver
Cisco Internetwork Operating System Software
IOS (tm) C5RSM Software (C5RSM-DSV-M), Version 11.3(6)WA4(9), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1998 by cisco Systems, Inc.
Compiled Mon 07-Dec-98 15:01 by
Image text-base: 0x600108F8, data-base: 0x60978000

ROM: System Bootstrap, Version 11.2(17523) [mohsen 102], INTERIM SOFTWARE
BOOTFLASH: C5RSM Software (C5RSM-BOOT-M), Version 11.2(18)P,  RELEASE SOFTWARE (fc1)

spidra uptime is 3 years, 1 week, 3 days, 8 hours, 40 minutes
System restarted by reload at 08:24:00 EST Tue Mar 27 2007
System image file is "slot0:/c5rsm-dsv-mz.113-6.WA4.9.bin", booted via slot0

cisco RSP2 (R4700) processor with 65536K/2072K bytes of memory.
R4700 processor, Implementation 33, Revision 1.0
Last reset from power-on
G.703/E1 software, Version 1.0.
X.25 software, Version 3.0.0.
Bridging software.
1 C5IP controller (20 Vlan).
20 Virtual Ethernet/IEEE 802.3 interface(s)
123K bytes of non-volatile configuration memory.

16384K bytes of Flash PCMCIA card at slot 0 (Sector size 128K).
16384K bytes of Flash PCMCIA card at slot 1 (Sector size 128K).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

interface Vlan200
 ip address 172.16.244.1 255.255.255.0
 ip access-group 101 in
 ip access-group 102 out


access-list 101 permit tcp any any established log-input
access-list 101 permit udp any any eq domain log-input
access-list 101 permit tcp any any eq www log-input
access-list 101 permit tcp any any eq 443 log-input
access-list 101 permit tcp any any eq domain log-input
access-list 101 permit icmp any any log-input
access-list 101 deny   ip any any log-input

access-list 102 permit tcp any any established log-input
access-list 102 permit tcp any any eq www log-input
access-list 102 permit tcp any any eq 443 log-input
access-list 102 permit udp any any eq domain log-input
access-list 102 permit icmp any any time-exceeded log-input
access-list 102 permit icmp any any echo-reply log-input
access-list 102 permit icmp any any traceroute log-input
access-list 102 permit icmp any any log-input
access-list 102 deny   ip any any log-input


Logging shows the following:

Apr  5 16:44:02 spidra 689888: Apr  5 21:44:02.656: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(49719) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 1 packet
Apr  5 16:44:08 spidra 689889: Apr  5 21:44:07.284: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(49841) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 2 packets
Apr  5 16:44:13 spidra 689890: Apr  5 21:44:12.912: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(17368) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 1 packet
Apr  5 16:44:33 spidra 689896: Apr  5 21:44:32.424: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(1581) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 1 packet
Apr  5 16:44:35 spidra 689897: Apr  5 21:44:34.448: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(1583) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 1 packet
Apr  5 16:44:37 spidra 689898: Apr  5 21:44:36.052: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(45711) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 1 packet
Apr  5 16:45:17 spidra 689905: Apr  5 21:45:16.028: %SEC-6-IPACCESSLOGP: list 101 permitted udp 172.16.244.244(45711) (Vlan200 0021.70b4.7816) -> 68.xxx.xxx.xxx(53), 2 packets
Apr  5 16:45:23 spidra 689906: Apr  5 21:45:22.148: %SEC-6-IPACCESSLOGP: list 102 denied udp 68.xxx.xxx.xxx(53) (Vlan10 000e.83c9.ee85) -> 172.16.244.244(45711), 3 packets
Apr  5 16:45:23 spidra 689907: Apr  5 21:45:23.148: %SEC-6-IPACCESSLOGP: list 102 denied udp 68.xxx.xxx.xxx(53) (Vlan10 000e.83c9.ee85) -> 172.16.244.244(29163), 2 packets
0
Comment
Question by:xogent
2 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 2000 total points
ID: 29870563
Hi,

You need

ip access-list extended 102
 11 permit udp any eq 53 172.16.244.0 0.0.0.255

Best regards,
Istvan
0
 

Author Comment

by:xogent
ID: 29906647
That seems to have worked.  Thanks!  I was following (I thought) the syntax of some existing rules.  Yours has a different syntax/layout.
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question