Hey all - so I ran into a bit of weirdness recently with an ACL applied outbound on a VLAN interface on my core 5412Rzl2. The problem was that our DCs were unable to sync their time with our NTP servers. The DCs live in different subnets than the NTP servers. The cause of the problem turned out to be with the ACL applied outbound to the VLAN that the NTP servers reside in. However, that same ACL had permits allowing the DCs to the entire server subnet for ip. There is also another permit allowing UDP traffic from our internal networks into the subnet where the NTP servers live. There are no rules that would block this traffic before the allows in the ACL that I can see.
Removing the ACL from the VLAN interface resolved the issue, but of course that wasn't a true fix for the situation. I ended up having to add specific permits from the DCs to the NTP servers for udp/123 before the DCs could sync their time with the NTP servers. Given the other ACEs already in place I am not sure why this was necessary.
Below is the relevant portion of the outbound ACL in question. IPs have been changed to santize the ACL for a public forum. Also, a couple SNMP allow rules have been omitted for brevity. The ACL is actually much longer than what is presented here, but the rest isn't needed for troubleshooting this issue. Please note: This is the ACL after the specific NTP allows have been added. Omit any ACEs with "eq 123" and you'll have the ACL as it was originally applied where it was stopping NTP traffic from the DCs.
remark "deny WiFi networks" deny ip 10.100.0.0 0.0.31.255 192.168.246.0 0.0.0.255 deny ip 10.103.0.0 0.0.31.255 192.168.246.0 0.0.0.255 remark "deny ping to broadcast" deny icmp 0.0.0.0 255.255.255.255 192.168.246.255 0.0.0.0 log remark "allow ping from internal networks" permit icmp 10.0.0.0 0.255.255.255 192.168.246.0 0.0.0.255 permit icmp 192.168.240.0 0.0.7.255 192.168.246.0 0.0.0.255 permit icmp 192.168.248.0 0.0.0.255 192.168.246.0 0.0.0.255 remark "allow NTP from DCs to NTP servers" permit udp 192.168.240.15 0.0.0.0 192.168.246.50 0.0.0.0 eq 123 permit udp 192.168.240.15 0.0.0.0 192.168.246.101 0.0.0.0 eq 123 permit udp 192.168.240.15 0.0.0.0 192.168.246.130 0.0.0.0 eq 123 permit udp 192.168.240.16 0.0.0.0 192.168.246.50 0.0.0.0 eq 123 permit udp 192.168.240.16 0.0.0.0 192.168.246.101 0.0.0.0 eq 123 permit udp 192.168.240.16 0.0.0.0 192.168.246.130 0.0.0.0 eq 123 permit udp 192.168.240.17 0.0.0.0 192.168.246.50 0.0.0.0 eq 123 permit udp 192.168.240.17 0.0.0.0 192.168.246.101 0.0.0.0 eq 123 permit udp 192.168.240.17 0.0.0.0 192.168.246.130 0.0.0.0 eq 123 permit udp 192.168.248.12 0.0.0.0 192.168.246.50 0.0.0.0 eq 123 permit udp 192.168.248.12 0.0.0.0 192.168.246.101 0.0.0.0 eq 123 permit udp 192.168.248.12 0.0.0.0 192.168.246.130 0.0.0.0 eq 123 permit udp 192.168.248.13 0.0.0.0 192.168.246.50 0.0.0.0 eq 123 permit udp 192.168.248.13 0.0.0.0 192.168.246.101 0.0.0.0 eq 123 permit udp 192.168.248.13 0.0.0.0 192.168.246.130 0.0.0.0 eq 123 permit udp 192.168.248.14 0.0.0.0 192.168.246.50 0.0.0.0 eq 123 permit udp 192.168.248.14 0.0.0.0 192.168.246.101 0.0.0.0 eq 123 permit udp 192.168.248.14 0.0.0.0 192.168.246.130 0.0.0.0 eq 123 remark "allow all traffic from Domain Controllers" permit ip 192.168.240.15 0.0.0.0 192.168.246.0 0.0.0.255 permit ip 192.168.240.16 0.0.0.0 192.168.246.0 0.0.0.255 permit ip 192.168.240.17 0.0.0.0 192.168.246.0 0.0.0.255 permit ip 192.168.248.12 0.0.0.0 192.168.246.0 0.0.0.255 permit ip 192.168.248.13 0.0.0.0 192.168.246.0 0.0.0.255 permit ip 192.168.248.14 0.0.0.0 192.168.246.0 0.0.0.255 remark "Allow DMZ to Server Subnet unrestricted" permit ip 192.168.241.0 0.0.0.127 192.168.246.0 0.0.0.255 log remark "allow SNMP on Netsight-Server for management network" permit udp 172.18.0.0 0.0.255.255 192.168.246.150 0.0.0.0 range 161 162 remark "block SNMP from other networks" deny udp 0.0.0.0 255.255.255.255 192.168.246.0 0.0.0.255 range 161 162 log remark "allow UDP from internal networks" permit udp 10.0.0.0 0.255.255.255 192.168.246.0 0.0.0.255 permit udp 192.168.240.0 0.0.7.255 192.168.246.0 0.0.0.255 permit udp 192.168.248.0 0.0.0.255 192.168.246.0 0.0.0.255 permit udp 172.18.0.0 0.0.255.255 192.168.246.0 0.0.0.255
The 5412Rzl2 is running KB.16.08.0001. Thanks in advance for any feedback.
No comments:
Post a Comment