Ethernet Switches & Routers

Reply
Contributor
Posts: 28
Registered: ‎12-08-2011

Access List to Match Continuation Packet

I do Transparent-hw-flooding to replicate traffic and filter it using ACL. Let Say I want to replicate Input from interface ethernet 2/3 to interface 3/5 and 3/6. But I got strange thing happening

 

In interface 3/5 I apply this rule for output.

 

Spoiler
access-list 106 permit tcp any any eq http
access-list 106 permit tcp any any eq ssl

 

I want to forward only http and https traffic in 3/5. But In output link utilization shows the traffic is so small, it is not as predicted. So I want to see what other packet containt, so I deny all traffic I need in interface 3/6. 

 

 

In interface 3/6 I apply this rule for output.

 

Spoiler
access-list 105 deny tcp any any eq smtp
access-list 105 deny tcp any any eq pop2
access-list 105 deny tcp any any eq pop3
access-list 105 deny tcp any any eq http
access-list 105 deny tcp any any eq ssl
access-list 105 deny tcp any any eq telnet
access-list 105 deny tcp any any eq nntp
access-list 105 deny tcp any any eq ftp-data
access-list 105 deny tcp any any eq ftp
access-list 105 deny udp any any eq dns
access-list 105 deny udp any any eq tftp
access-list 105 deny udp any any eq bootps
access-list 105 deny udp any any eq bootpc
access-list 105 deny udp any any eq 80
access-list 105 deny udp any any eq 443
access-list 105 permit ip any any

 

Using wireshark I found lot of http packet is not match and deny by the rule.

Wireshark Preview 3/6

 

Below is the config

 

Spoiler
vlan 400
 untagged ethe 2/3 ethe 3/5 to 3/6
 transparent-hw-flooding
!
interface ethernet 2/3
 enable
!
interface ethernet 3/5
 port-name STREAM-5
 enable
 ip access-group 106 out
!
interface ethernet 3/6
 port-name STREAM-6
 enable
 ip access-group 108 out
!
access-list 105 deny tcp any any eq smtp
access-list 105 deny tcp any any eq pop2
access-list 105 deny tcp any any eq pop3
access-list 105 deny tcp any any eq http
access-list 105 deny tcp any any eq ssl
access-list 105 deny tcp any any eq telnet
access-list 105 deny tcp any any eq nntp
access-list 105 deny tcp any any eq ftp-data
access-list 105 deny tcp any any eq ftp
access-list 105 deny udp any any eq dns
access-list 105 deny udp any any eq tftp
access-list 105 deny udp any any eq bootps
access-list 105 deny udp any any eq bootpc
access-list 105 deny udp any any eq 80
access-list 105 deny udp any any eq 443
access-list 105 permit ip any any
!
access-list 106 permit tcp any any eq http
access-list 106 permit tcp any any eq ssl

 

 

Anyone ever find the same case? Any help really appreciated.

 

Thanks,

 

 

 

 

 

 

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.