Troubleshooting IP Access Lists



Similar documents
Chapter 3 Using Access Control Lists (ACLs)

CCNA Access List Sim

Configuring NetFlow Secure Event Logging (NSEL)

IPv4 Supplement Tutorial - Job Aids and Subnetting

Network Data Encryption Commands

Adding an Extended Access List

Configuring a Backup Path Test Using Network Monitoring

Lab Configure Cisco IOS Firewall CBAC

Cisco Configuring Commonly Used IP ACLs

Cisco ASA and NetFlow Using ASA NetFlow with LiveAction Flow Software

PIX/ASA 7.x with Syslog Configuration Example

Monitoring Network Traffic Using SPAN

Table of Contents. Configuring IP Access Lists

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

8 steps to protect your Cisco router

EXPLORER. TFT Filter CONFIGURATION

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Configuring Control Plane Policing

Network Monitoring. SAN Discovery and Topology Mapping. Device Discovery. Topology Mapping. Send documentation comments to

Configuring the Firewall Management Interface

Securing Networks with PIX and ASA

Configuring Network Address Translation

Configuring MAC ACLs

Firewall Stateful Inspection of ICMP

Implementation Note for NetFlow Collectors

Configuring NetFlow-lite

Configuring Trend Micro Content Security

Enabling Remote Access to the ACE

Network Load Balancing

LAB II: Securing The Data Path and Routing Infrastructure

Lecture 15. IP address space managed by Internet Assigned Numbers Authority (IANA)

Packet Capture. Document Scope. SonicOS Enhanced Packet Capture

Configuring Network Address Translation

Terminal Server Configuration and Reference Errata

Troubleshooting the Firewall Services Module

Cisco QuickVPN Installation Tips for Windows Operating Systems

Configuring NetFlow Secure Event Logging (NSEL)

Implementing Secure Converged Wide Area Networks (ISCW)

Technical Support Information Belkin internal use only

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

How To: Configure a Cisco ASA 5505 for Video Conferencing

LAB THREE STATIC ROUTING

Configuring the WT-4 for Upload to a Computer (Ad-hoc Mode)

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Lab 2 - Basic Router Configuration

Configuring Class Maps and Policy Maps

Lab - Configure a Windows 7 Firewall

Configuring the WT-4 for Upload to a Computer (Infrastructure Mode)

Integration with CA Transaction Impact Monitor

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

Configuring Network Security with ACLs

Monitoring Network Traffic Using SPAN

Troubleshooting the Firewall Services Module

Lab 8: Confi guring QoS

Web-Based Configuration Manual System Report. Table of Contents

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Chapter 2 Quality of Service (QoS)

Using Device Discovery

Firewall Firewall August, 2003

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Management, Logging and Troubleshooting

F-Secure Messaging Security Gateway. Deployment Guide

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Brocade to Cisco Comparisons

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

IOS Zone Based Firewall Step-by-Step Basic Configuration

Lab - Using Wireshark to View Network Traffic

How To Configure A Network Monitor Probe On A Network Wire On A Microsoft Ipv6 (Networking) Device (Netware) On A Pc Or Ipv4 (Network) On An Ipv2 (Netnet) Or Ip

Interconnecting Cisco Network Devices 1 Course, Class Outline

PktFilter A Win32 service to control the IPv4 filtering driver of Windows 2000/XP/Server

Lab - Configure a Windows Vista Firewall

Networking Guide Redwood Manager 3.0 August 2013

SUBNETTING SCENARIO S

Network Agent Quick Start

Configuring Flexible NetFlow

Firewall Stateful Inspection of ICMP

Configuring System Message Logging

Firewall Technologies. Access Lists Firewalls

108Mbps Super-G TM Wireless LAN Router with XR USER MANUAL

IP Filter/Firewall Setup

Configuring Health Monitoring

FIREWALLS & CBAC. philip.heimer@hh.se

Setting Policies Using RF Director

TCP/IP Basis. OSI Model

Configuring Static and Dynamic NAT Translation

Security and Access Control Lists (ACLs)

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

Configuring WCCP v2 with Websense Content Gateway the Web proxy for Web Security Gateway

RSA Security Analytics

Network Security 1. Module 8 Configure Filtering on a Router

Configuring SSL VPN on the Cisco ISA500 Security Appliance

CCT vs. CCENT Skill Set Comparison

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Unix System Administration

Chapter 4 Rate Limiting

Implementing Network Address Translation and Port Redirection in epipe

IP - The Internet Protocol

+ iptables. packet filtering && firewall

Transcription:

CHAPTER 21 This chapter describes how to troubleshoot IPv4 and IPv6 access lists (IP-ACLs) created and maintained in the Cisco MDS 9000 Family. It includes the following sections: Overview, page 21-1 Initial Troubleshooting Checklist, page 21-4 IP-ACL Issues, page 21-4 Overview IP-ACLs provide basic network security to all switches in the Cisco MDS 9000 Family. IP-ACLs restrict IP-related traffic based on the configured IP filters. A filter contains the rules to match an IP packet, and if the packet matches, the rule also stipulates if the packet should be permitted or denied. Each switch in the Cisco MDS 9000 Family can have a maximum of 64 IP-ACLs and each IP-ACL can have a maximum of 256 filters. An IP filter contains rules for matching an IP packet based on the protocol, address, and port. IPv4 filters can also match on an ICMP type and type of service (ToS). This section includes the following topics: Protocol Information, page 21-1 Address Information, page 21-2 Port Information, page 21-2 ICMP Information, page 21-3 ToS Information, page 21-3 Protocol Information You can specify the IP protocol in one of two ways: Specify an integer ranging from 0 to 255. This number represents the IP protocol. Specify the name of a protocol, restricted to Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). 21-1

Overview Chapter 21 Address Information For IPv4, specify the source and source-wildcard or the destination and destination-wildcard in one of two ways: Use the 32-bit quantity in four-part, dotted decimal format (10.1.1.2 0.0.0.0 is the same as host 10.1.1.2). Each wildcard bit set to zero indicates that the corresponding bit position in the packet's IPv4 address must exactly match the bit value in the corresponding bit position in the source. Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding position of the packet's IPv4 address will be considered a match to this access list entry. Place ones in the binary bit positions you want to ignore and then convert to decimal. For example, use 0.0.255.255 to require an exact match of only the first 16 bits of the source. Wildcard bits set to one must be contiguous and at the end of the prefix. For example, a wildcard of 0.255.0.64 would not be valid. Use the any option as an abbreviation for a source and source-wildcard or destination and destination-wildcard (0.0.0.0 255.255.255.255) For IPv6, specify the source or the destination IPv6 addresses in one of two ways: Use the 128-bit quantity in colon-separated hexadecimal <prefix>/<length> format. For example, use 2001:0DB8:800:200C::/64 to require an exact match of the first 64 bits of the source. Use the any option as an abbreviation for a source or destination. Port Information To compare the source and destination ports, use the eq (equal) option, the gt (greater than) option, the lt (less than) option, or the range (range of ports) option. Table 21-1 displays the port numbers recognized by the Cisco SAN-OS software for associated TCP and UDP ports for IPv4. Note IPv6-ACL CLI commands do not support TCP or UDP port names. Table 21-1 TCP and UDP Port Numbers for IPv4 Protocol Port Number UDP dns 53 tftp 69 ntp 123 radius accounting 1646 or 1813 radius authentication 1645 or 1812 snmp 161 snmp-trap 162 syslog 514 21-2

Chapter 21 Overview Table 21-1 TCP and UDP Port Numbers for IPv4 (continued) Protocol Port Number TCP 1 ftp 20 ftp-data 21 ssh 22 telnet 23 smtp 25 tasacs-ds 65 www 80 sftp 115 http 143 wbem-http 5988 wbem-https 5989 1. If the TCP connection is already established, use the established option to find matches. A match occurs if the SYN flag is not set in the TCP datagram. ICMP Information IP packets can be filtered based on the following optional ICMP conditions: The icmp-type: The ICMP message type is a number from 0 to 255. The icmp-code: The ICMP message code is a number from 0 to 255. Table 21-2 displays the value for each ICMP type. Table 21-2 ICMP Type Value ICMP Type Code echo 8 echo-reply 0 unreachable 3 redirect 5 time exceeded 11 traceroute 30 ToS Information IPv4 packets can be filtered based on the ToS conditions delay, monetary-cost, normal-service, reliability, and throughput. 21-3

Initial Troubleshooting Checklist Chapter 21 Initial Troubleshooting Checklist Begin troubleshooting IP-ACLs by checking the following issues: Checklist Verify licensing requirements. See Cisco MDS 9000 Family Fabric Manager Configuration Guide. Verify that the access list has been applied to the interface. Verify that the access list is not empty. Verify the order of the rules in the access list. Check off Common Troubleshooting Tools in Fabric Manager Choose Switches > Security > IP ACL to access IP-ACL configuration. Common Troubleshooting Commands in the CLI The following commands may be useful in troubleshooting IP-ACL issues: show ip access-list show ipv6 access-list show interface Use the log-deny option at the end of a filter condition to log information about packets that match dropped entries. The log output displays the ACL number, permit or deny status, and port information. Use the following CLI commands to ensure that the debug messages are logged to the logfile for the kernel and ipacl facilities: logging logfile SyslogFile 7 logging level kernel 7 logging level ipacl 7 IP-ACL Issues This section describes troubleshooting ACLs and includes the following topics: All Packets Are Blocked, page 21-5 No Packets Are Blocked, page 21-7 PortChannel Not Working with ACL, page 21-8 Cannot Remotely Connect to Switch, page 21-8 21-4

Chapter 21 IP-ACL Issues All Packets Are Blocked Symptom All packets are blocked. Table 21-3 All Packets Are Blocked Symptom Possible Cause Solution All packets are blocked. Access list is empty. A deny filter is too broad. Deny filter is too high in the access list order. No existing permit filters match the packets. Re-creating IP-ACLs Using Fabric Manager To re-create an IP-ACL using Fabric Manager, follow these steps: Remove the access list from the interface. Choose Switches > Security > IP ACL in Fabric Manager, select the Interfaces tab, and remove the ACL name from the ProfileName field. Click Apply Changes. Or use the no ip access-group or the no ipv6 traffic-filter CLI command in interface mode. Delete the deny filter. Choose Security > IP ACL in Device Manager, right-click the access list, and click Rules. Right-click the filter you want to delete and click Delete. Or use the no ip access-list for IPv4-ACLs or no ipv6 access-list for IPv6, and use the no deny CLI command in IP-ACL configuration submode. Delete the access list and re-create. See the Re-creating IP-ACLs Using Fabric Manager section on page 21-5 or the Re-creating IP-ACLs Using the CLI section on page 21-6. Add an appropriate permit filter. Choose Security > IP ACL in Device Manager, right-click the access list, and click Rules. Click Create. Or use the ip access-list for IPv4-ACLs or ipv6 access-list for IPv6, and use the permit CLI command in IP-ACL configuration submode. Step 1 Step 2 Step 3 Step 4 Step 5 Choose Switches > Security > IP ACL and select the Interfaces tab. Right-click all interfaces that have the IP-ACL you need to modify and remove the IP-ACL name from the ProfileName field. Click Apply Changes to save these changes. Click the IP ACL wizard icon. You see the IP-ACL wizard dialog box. Add the IP-ACL name in the name field and click Add. 21-5

IP-ACL Issues Chapter 21 Step 6 Step 7 Step 8 Set the IP address, subnet mask, and protocol. Select permit or deny from the Action drop-down menu and click Next. Check the switches that you want to apply this ACL to and click Finish. Re-creating IP-ACLs Using the CLI To r-create an IP-ACL using the CLI, follow these steps: Step 1 Step 2 Step 3 Use the show interface command to determine which interfaces use the ACL. switch# show interface gigabitethernet 2/1 GigabitEthernet2/1 is up Hardware is GigabitEthernet, address is 0005.3001.a706 Internet address(es): 4000::1/64 fe80::205:30ff:fe01:a706/64 MTU 2300 bytes Port mode is IPS Speed is 1 Gbps Beacon is turned off Auto-Negotiation is turned on ip access-group TCPAlow in 5 minutes input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec 5 minutes output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec 1916 packets input, 114960 bytes 0 multicast frames, 0 compressed 0 input errors, 0 frame, 0 overrun 0 fifo 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 fifo 0 carrier errors Use the no ip access-group or the no ipv6 traffic-filter command in interface mode to remove the ACL from the interface. Repeat this step for all interfaces found in Step 1. switch(config)# interface gigabitethernet 2/1 switch(config-if)# no ip access-group TCPAlow Use the no ip access-list or the no ipv6 access-list command to delete the access list and all filters associated with it. switch(config)# no ip access-list TCPAlow Note We recommend deleting an ACL and re-creating it because you cannot change the order of filters in an ACL. 21-6

Chapter 21 IP-ACL Issues Step 4 Use the ip access-list or the ipv6 access-list command to create an access list. switch(config)# ip access-list List1 permit ip any any Tip Step 5 Add the filters in priority order. Add a fall-through filter in the case where no filter matches an incoming packet. Use the ip access-group or the ipv6 traffic-filter command in interface mode to add the ACL to the interface. Repeat this step for all interfaces found in Step 1. switch(config)# interface gigabitethernet 2/1 switch(config-if)# ip access-group List1 switch(config)# interface gigabitethernet 2/2 switch(config-if)# ipv6 traffic-filter IPAlow No Packets Are Blocked Symptom No packets are blocked. Table 21-4 No Packets Are blocked Symptom Possible Cause Solution No packets are blocked. A permit filter is too broad. Permit filter is too high in the access list order. Delete the permit filter. Add an appropriate permit filter. Choose Security > IP ACL in Device Manager, right- click the access list and click Rules. Right-click the rule and click Delete. Or use the no ip access-list for IPv4-ACLs or no ipv6 access-list for IPv6, and use the no permit CLI command in IP-ACL configuration submode. Delete the access list and re-create. See the Re-creating IP-ACLs Using Fabric Manager section on page 21-5 or the Re-creating IP-ACLs Using the CLI section on page 21-6. 21-7

IP-ACL Issues Chapter 21 PortChannel Not Working with ACL Symptom PortChannel not working with ACL. Table 21-5 PortChannel Not Working with ACL Symptom Possible Cause Solution PortChannel not working with ACL ACL not applied to all interfaces in the PortChannel. Add the ACL to all interfaces in the PortChannel. Choose Switches > ISLs > Port Channels to view the Members Admin field to find out which interfaces are part of the PortChannel. Choose Switches > Security > IP ACL on Fabric Manager, select the Interfaces tab, and add the ACL name to the ProfileName field. Click Apply Changes. Or use the show port-channel database CLI command to find out which interfaces are part of the PortChannel and then use the ip access-group or the ipv6 traffic-filter CLI command in interface mode to add the ACL to all interfaces in the PortChannel. Cannot Remotely Connect to Switch Symptom Cannot remotely connect to switch. Table 21-6 Cannot Remotely Connect to Switch Symptom Possible Cause Solution Cannot remotely connect to switch. Incorrect ACL on mgmt0 interface. Connect to console port locally and delete the ACL. Use the no ip access-group or the no ipv6 traffic-filter CLI command in interface mode. 21-8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information