Catalyst 4500 – Unexpected Behavior with Object-Groups in ACLs

aclcisco-catalyst

I'm encountering some unexpected behavior when trying to reference object-groups in an access-list on my Catalyst 4500.

Goal: Restrict a VLAN from accessing other privately addressed subnets (Internet access only), except for a local DNS server in another subnet

IOS-XE Version: 03.03.00.XO RELEASE SOFTWARE (fc2)

General Config:

object-group network subnet_privateClassA 
 10.0.0.0 255.0.0.0
!
object-group network subnet_privateClassB 
 172.16.0.0 255.240.0.0
!
object-group network subnet_privateClassC 
 192.168.0.0 255.255.0.0
!
object-group network subnet_rfc1918All 
 group-object subnet_privateClassA
 group-object subnet_privateClassB
 group-object subnet_privateClassC
!
!

...

interface Vlan70
 ip address 10.10.70.254 255.255.255.0
 ip access-group publicVlan_in in
!

The following access-list blocks access to private IP ranges, except for the desired DNS server (10.16.4.10), but also blocks access to public IPs. So, DNS is able resolve google.com, but pings fail.

ip access-list extended publicVlan_in
 permit ip any host 10.32.4.10
 deny ip any object-group subnet_rfc1918All ! (I've also tried just subnet_privateClassA)
 permit ip any any
!

The next access list works exactly how I want – local DNS works and I can access the Internet:

ip access-list extended publicVlan_in
 permit ip any host 10.32.4.10
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip any any
!

The problem seems to be the use of object-groups. What am I missing here?

Best Answer

At long last, an answer. I recently encountered another situation where I had to create access-lists that would benefit from object-group references. After trying several different things to work around the problem, I finally threw in the towel and contacted Cisco technical support (which I'm always loath to do).

After an initial careless and blatantly wrong attempt to answer my question, the Cisco technician came back with the following:

Matthew,

I have reached out to the development team and object group configuration with the 4500 platform does not work as desired given the fact that the feature is not fully supported until code version 15.2(3)E2 which will be released around August 2015.

It is possible for the ACL to be configured because they have the same IOS XE base as other devices that support the feature at this time.

So, there you go - and it only took Cisco 6 days to come up with this answer (a record).

Related Solutions

Understanding Access-Lists, VLANs, and Traffic Flow

This is often a confusing topic for users new to SVIs as it does seem to work a bit counter intuitively. Most people have a tendency to look at the SVI as some sort of "gateway" and that traffic leaving the VLAN should be outbound and vice versa.

However, it actually works in the opposite way because the SVI is a virtual router interface. It can help to think of the SVI as a physical interface on a physical router connected to the VLAN. From the perspective of this router, traffic arriving on the interface (the SVI) from the VLAN is inbound. Traffic from the rest of the network to the VLAN would be going out (or outbound) from the perspective of this interface.

As an example, take for instance the following SVI:

interface Vlan10
 ip address 10.1.1.1 255.255.255.0
 ip access-group VLAN10_IN in
 ip access-group VLAN10_OUT out

Now, let's say I want to prevent any traffic with spoofed IP addresses from leaving this VLAN. My access list may look like the below. Notice that while this traffic is outbound from the VLAN, it is inbound to the interface and as such is an inbound ACL.

Sw6500#sh ip access-lists VLAN10_IN
Extended IP access list VLAN10_IN
    10 permit ip 10.1.1.0 0.0.0.255 any
    20 deny ip any any

If I want to limit access to this VLAN so that devices with 192.168.1.0/24 addresses are blocked but all other 192.168.0.0/16 addresses are allowed, the ACL would look something like this:

Sw6500#sh ip access-lists VLAN10_OUT
Extended IP access list VLAN10_OUT
    10 deny ip 192.168.1.0 0.0.0.255 any
    20 permit ip 192.168.0.0 0.0.255.255 any
    30 deny ip any any

Please Note: These are not a complete working access lists; they are meant only as examples. While they may work in certain environments, it may create problems if you try to use it. For instance, it will not allow traffic such as DHCP if the DHCP server is on a different VLAN.

One parting note, that may seem obvious but I have seen trip people up before. If the SVI has multiple subnets associated with it, you need to make sure your ACLs take this into account as traffic that passes between these subnets will be processed by the ACL even though it stays within the VLAN.

As long as you keep the concept that the SVI is an interface, this should be easy to accomplish.

Cisco Port ACL Rule blocking port 80 appears to block all traffic

Your access list should look like this:

ip access-list extended PORT-ACL

100 deny tcp any any eq 23
300 deny tcp any any eq 80
500 deny icmp any any timestamp-reply
1000 permit ip any any

interface GigabitEthernet1/0/1
description SERVER-DEVICE
ip access-group PORT-ACL OUT  <-- note change

The direction of the access list is in reference to the router, so OUT means from the router to the server. In that case, you will block traffic from other devices to the server when the TCP destination port is 23 or 80.

Best Answer

Related Solutions

Understanding Access-Lists, VLANs, and Traffic Flow

Cisco Port ACL Rule blocking port 80 appears to block all traffic

Related Topic