We help IT Professionals succeed at work.

Cisco 3650x ACL

260 Views
Last Modified: 2017-04-28
Since our switch is acting as an L2 Switch, and our VLANs are untagged I need to create an ACL for the WiFi Subnet to stop it from gaining access to the Production VLAN

I have attached a snapshot of the ACL rules, the issue I have is that it's not blocking any TCP traffic to the IP address that I have issued a permit rule too.
Capture.PNG
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Capture.png is just access list. ACLs don't do actually anything until are applied somewhere (physical interface, SVI or VLAN). Since your ACL is extended ACL it also needs to be applied on the right place and in the right direction to be able to filter traffic.
VH

Author

Commented:
Hi Predrag,

This ACL has being applied to the switch interfaces that are on that vlan and are set-to in
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Still insufficient details.
Switch interface can be physical or virtual.
:)
So, if ACL itself is written properly (source of traffic is located in 172.27.5.0/24 and destination for traffic is located in 172.27.0.0/24) typically there are two possible errors:
ACL is applied on wrong interface, or in the wrong direction (or both).
Harold BowlinOwner/Network Architect
CERTIFIED EXPERT

Commented:
Actually, you need to put all your denies in the ACL before your permits. This will ensure the denies are caught in the ACL before the permits. These are read by the switch in a top down fashion.
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Not really that denies need to be permits. Otherwise statement 170 would block a lot ... :)
More specific statements should be on the top.
Owner/Network Architect
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
VH

Author

Commented:
ok i redid the ACL with the Deny TCP ports up at the top and it seems to be working
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
Not really that denies need to be permits
Suppose to be
Not really that denies need to be before permits.
Actually, you need to put all your denies in the ACL before your permits.
Is there something to misunderstand here? According to this
170 deny ip 172.27.5.0 0.0.0.255 172.27.0.0 0.0.0.255
should be before
130 permit ip 172.27.5.0 0.0.0.255 host 172.27.0.1
140 permit ip 172.27.5.0 0.0.0.255 host 172.27.0.10
150 permit ip 172.27.5.0 0.0.0.255 host 172.27.0.7
160 permit ip 172.27.5.0 0.0.0.255 host 172.27.0.5

Access list as you wrote it, is now ordered as
More specific statements should be on the top.
:)
I did not really pay attention how ACL was written (did not notice that destination addresses overlap).
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.