Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco 3750x blocking ports?

Posted on 2014-07-28
7
1,622 Views
Last Modified: 2016-02-25
Hey experts.  I am working through an issue that is affecting my Sophos updates and Websense filtering.  Each service is on a different server but located on the same network.  We recently put a Cisco 3750x into production which replaced a Nortel 325-24G.  All of our network traffic comes to this switch before going out to a Contivity 1730 which is managed by a state agency.  I've worn out the state support and they show that the firewall at our location should be able to allow ports 8192 and 8194.  I haven't done much with the 3750x so I'm not sure if that switch is in play with the inability of the Sophos server to get updates or the Websense filtering to function properly.  Both of the issues relating to Sophos and Websense occurred when we put the new Cisco switch in place.

How do I test whether the Cisco switch is or isn't blocking traffic on those ports (if that is even possible)?  

Thank you in advance for your help and time.
0
Comment
Question by:samiam41
  • 4
  • 3
7 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 40224229
show ip access-list
OR
show access-list

Run either of the commands above and see what is blocked or what is allowed

I access lists exist on switchports that affect the servers, you will need to add permission for the port on those ACLs
0
 
LVL 9

Author Comment

by:samiam41
ID: 40224595
Hi Akinsd.  Thanks for replying.  I never got notification that an expert had responded so I apologize for the delay.  I ran the commands as you stated and here are the results.

Core_40#show ip access-list
Extended IP access list preauth_ipv4_acl (per-user)
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any

Core_40#show access-list
Extended IP access list preauth_ipv4_acl (per-user)
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any
IPv6 access list preauth_ipv6_acl (per-user)
    permit udp any any eq domain sequence 10
    permit tcp any any eq domain sequence 20
    permit icmp any any nd-ns sequence 30
    permit icmp any any nd-na sequence 40
    permit icmp any any router-solicitation sequence 50
    permit icmp any any router-advertisement sequence 60
    permit icmp any any redirect sequence 70
    permit udp any eq 547 any eq 546 sequence 80
    permit udp any eq 546 any eq 547 sequence 90
    deny ipv6 any any sequence 100

I can't decipher what this means.  Does this mean ports 8192 and 8194 are allowed?
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40226073
Those are default Dynamic ACLs on the 3750.

Try show ip interfaces to verify that no acl is applied to any switchport

Technically, based on the configuration in the dynamic acl above, the deny list at the end means anything not permitted in the permit statements will be denied.

However, the traffic in question should not be affected by those ACL assuming default settings are in place.

Let's concentrate on the switchports the servers are connected to and the exit port to the firewall.

Do you have a lower grade switch to connect the servers to for testing?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 9

Author Comment

by:samiam41
ID: 40226565
The switch that was replaced by the new Cisco switch was a Nortel 325-24G.  I am working on putting that switch back in place and seeing if the problem exists.  

The internal network traffic comes into the new Cisco switch and leaves on this port 21.

I ran the "show ip interfaces" command and copied the results relating to port 21

GigabitEthernet1/0/21 is up, line protocol is up
  Inbound  access list is not set

So does this mean that there is no ACL on port 21?
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 500 total points
ID: 40228366
Yes, there's no ACL on port 21.

I believe there wouldn't be an ACL on the server ports either.
From all you provided so far, it doesn't look like the problem is on the 3750 but I won't rule that out completely yet.

You may want to check the configuration on the old switch maybe it will shed some lights
0
 
LVL 9

Author Comment

by:samiam41
ID: 40231889
It appears the problem may come down to packets being tagged now versus not being tagged before.  We've added two VLANS when we only had one with the previous config.  With the assistance of the Websense support folks, we may have it ruled out today.  

I'm going to award points/grade and close out this question as I know now (from your posts) that there is no ACL on the ports in question.

Thank you for your help!!
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 40231930
You're welcome
All the best
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question