3750 ACL processing problem

Hi

I have a problem of this kind, i have substituted 2 days ago my 2 core switch configured with HSRP, passing from 2 Cisco 4908G to 2 cisco WS- C3750G-12S.

I have copied all the access-list from the old switch to the new one, while previously the ACL where applied directly under the virtual interface now I have applied the rule directly under the vlan interface (configured with bridge-group and hsrp), now I have some problem on some of the vlan, the ACL applied in IN works instead the ACL applied in OUT doesn't work, as soon as I apply them they block all the traffic.

For example on 1 vlan I have 2 ACL where I have to enable only the traffic between the internal LAN . X.X.X.X and an external LAN Y.Y.Y.Y on some specified ports in both direction

Access-list extended bloom-in permit tcp X.X.X.X 0.0.0.63 Y.Y.Y.Y 0.0.0.255 gt 8193 permit tcp X.X.X.X 0.0.0.63 Y.Y.Y.Y 0.0.0.255 lt 8199 permit tcp X.X.X.X 0.0.0.63 Y.Y.Y.Y 0.0.0.255 gt 8208 permit tcp X.X.X.X 8 0.0.0.63 Y.Y.Y.Y 0.0.0.255 lt 8221 permit tcp X.X.X.X 0.0.0.63 Y.Y.Y.Y 0.0.0.255 gt 8290 permit tcp X.X.X.X 0.0.0.63 Y.Y.Y.Y 0.0.0.255 lt 8295

Access-list extended bloom-out permit tcp Y.Y.Y.Y 0.0.0.255 X.X.X.X 0.0.0.63 gt 1023 permit tcp Y.Y.Y.Y 0.0.0.255 X.X.X.X 0.0.0.63 lt 5001 permit tcp Y.Y.Y.Y 0.0.0.255 X.X.X.X 0.0.0.63 gt 8193 permit tcp Y.Y.Y.Y 0.0.0.255 X.X.X.X 0.0.0.63 lt 8386 permit udp Y.Y.Y.Y 0.0.0.255 X.X.X.X 0.0.0.63 gt 48128 permit udp Y.Y.Y.Y 0.0.0.255 X.X.X.X 0.0.0.63 lt 48138

These ACL are tested and working for several times on old switch, on the new one when I apply the ACL bloom-out in OUT nothing works.

Everything works only if i have as ACL in OUT

Access-list extended bloom-out permit ip any any

And also putting as rule something like this

Access-list extended bloom-out permit ip Y.Y.Y.Y 0.0.0.255 X.X.X.X 0.0.0.63

The traffic is blocked

Thank's for your help

Reply to
nikp
Loading thread data ...

For what are You using the bridge-group?

They say that properly phrased question contains already at least a half of the answer. Look here:

formatting link

Reply to
Łukasz Bromir

Hi Lukasz

I can answer only now i was out of office.

i'm using the bridge-group cause i need that all the vlan see each other, with the proper rules implemented.

I still have the same problems and the situation is going worste, sometimes i have problem on the acl in IN.

I will read the docs in the link you forwarded

Thank's

Reply to
nikp

Hi Lukasz

I read the document and it looks everything fine to me, i'm working on a virtual interface at layer 3 as i always done on my other switch.

from the docs

"You can apply router ACLs on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs; on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces. You apply router ACLs on interfaces for specific directions (inbound or outbound). You can apply one router ACL in each direction on an interface. "

Reply to
nikp

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.