お世話になります。

ご回答ありがとうございます。

ルータのＩＯＳについては１５．１またスイッチのＩＯＳについては１２．２となります。

また、該当箇所のルータの設定ファイルおよびスイッチの設定ファイルを以下に

示します。(セキュリティ上、S/N等機種固有の情報は削除しています。)

また、以下の設定においてスイッチモジュール FastEthernet0/14に設定したVLAN2222

についてルータで設定したACL(170、180)が有効になっていないと思われます。

①ルータ

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname test

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

!

!

ip multicast-routing

!

!

no ip domain lookup

multilink bundle-name authenticated

!

vtp mode transparent

!

!

!crypto pki certificate chain TP-self-signed-

certificate self-signed 01 nvram:IOS-Self-Sig#2.cer

license udi pid CISCO2921/K9 sn

hw-module sm 1

!

!

!

vtp mode transparent

!

!

vlan 2222

interface Vlan2222
ip address 192.168.1.100 255.255.255.0
ip access-group 170 in
ip access-group 180 out
no ip route-cache

access-list 170 permit icmp any any

access-list 170 deny   ip any any

access-list 180 permit udp host 192.168.3.12 host 192.168.1.110 eq 2000

access-list 180 permit icmp any any

access-list 180 deny   ip any any

②スイッチ側設定

version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch

boot-start-marker
boot-end-marker
!
!
no aaa new-model
system mtu routing 1500
vtp mode transparent
!
!
no ip domain-lookup
!
!
crypto pki trustpoint TP-self-signed-

enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-

revocation-check none
rsakeypair TP-self-signed-

!
!
crypto pki certificate chain TP-self-signed-

certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!

vlan internal allocation policy ascending

vlan 2222

!

interface FastEthernet0/14

switchport access vlan 2222

switchport mode access

no shutdown

interface Vlan2222

no ip address

no ip route-cache

以上、よろしくお願いいたします。

すっかり遅くなってしまい申し訳ありませんでした。

機材の調整で時間が掛かってしまいました。

既に解決策を見つけられているかも知れませんがこちらで確認した内容をまとめます。

結論から言いますと頂いた設定でout acl は動作しました。

こちらで使用したルータ(2911)、SM の設定を以下に記載しますのでご確認ください。

頂いていない部分のコンフィグでの差分があるのかも知れません。

使用した環境は以下の様なものです。

2911[Gi0/0] --- TGN1

SM-ES2-24[Fa0/14] --- TGN2

また、outbound ACL のカウンタも以下のように上昇します。

ここでは 10, 30 にヒットするトラフィックを流しています。

30 はちなみに 10 にヒットするトラフィックで UDP dest port を 2001

としたものを使いました。

c2911#sh access-list

Extended IP access list 170

    10 permit icmp any any (24 matches)

    20 deny ip any any

Extended IP access list 180

    10 permit udp host 192.168.3.12 host 192.168.1.110 eq 2000 (967 matches)

    20 permit icmp any any

    30 deny ip any any (4252 matches)

c2911#sh access-list

Extended IP access list 170

    10 permit icmp any any (24 matches)

    20 deny ip any any

Extended IP access list 180

    10 permit udp host 192.168.3.12 host 192.168.1.110 eq 2000 (1069 matches)

    20 permit icmp any any

    30 deny ip any any (4354 matches)

幾つかルータのコンフィグについて補足します。

- ルータ - SM 間は一番オーソドックスなやり方だと思いますが

Gi1/1 - Gi0/25 を trunk しています。

- 以下の static arp がありますが、dest IP が 192.168.1.110 のパケットを

  SM の対向機器(TGN2) に流すためのものです。

  arp 192.168.1.110 000d.6670.441a ARPA

よろしくお願いします。

以下、ルータ(2911)の設定になります。

c2911#

c2911#show ver

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Tue 04-Sep-12 16:37 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M6, RELEASE SOFTWARE (fc1)

c2911 uptime is 3 hours, 36 minutes

System returned to ROM by power-on

System restarted at 01:32:11 UTC Thu Sep 5 2013

System image file is "flash0:c2900-universalk9-mz.SPA.151-4.M5"

Last reload type: Normal Reload

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco CISCO2911/K9 (revision 1.0) with 479232K/45056K bytes of memory.

Processor board ID FTX1425A1A8

5 Gigabit Ethernet interfaces

2 terminal lines

DRAM configuration is 64 bits wide with parity enabled.

255K bytes of non-volatile configuration memory.

254464K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------

Device#            PID                              SN

-------------------------------------------------

*0              CISCO2911/K9          FTX1425A1A8    

Technology Package License Information for Module:'c2900'

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot 

------------------------------------------------------------------

ipbase        ipbasek9      Permanent      ipbasek9

security      None          None           None

uc            None          None           None

data          None          None           None

Configuration register is 0x2102

c2911#

c2911#

c2911#sh run

Building configuration...

Current configuration : 2134 bytes

!

! No configuration change since last restart

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname c2911

!

boot-start-marker

boot-end-marker

!

!

enable password cisco

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

no ip domain lookup

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

!

license udi pid CISCO2911/K9 sn FTX1425A1A8

hw-module sm 1

!

!

!

vtp mode transparent

!

!

vlan 2222

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 12.0.0.1 255.255.255.0

load-interval 30

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 1.13.35.71 255.0.0.0

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet1/0

ip address 10.0.0.1 255.255.255.0

load-interval 30

!

interface GigabitEthernet1/1

description Internal switch interface connected to EtherSwitch Service Module

switchport mode trunk

no ip address

load-interval 30

!

interface Vlan1

no ip address

!

interface Vlan2222

ip address 192.168.1.100 255.255.255.0

ip access-group 170 in

ip access-group 180 out

no ip route-cache

load-interval 30

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

!

access-list 170 permit icmp any any

access-list 170 deny   ip any any

access-list 180 permit udp host 192.168.3.12 host 192.168.1.110 eq 2000

access-list 180 permit icmp any any

access-list 180 deny   ip any any

!

arp 192.168.1.110 000d.6670.441a ARPA

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line 67

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

flowcontrol software

line vty 0 4

password cisco

login

transport input all

!

scheduler allocate 20000 1000

end

c2911#

c2911#

以下は SM-ES2-24 の設定内容です。

Switch#

Switch#

Switch#show ver

Cisco IOS Software, C2960SM Software (C2960SM-LANBASEK9-M), Version 12.2(52)EX1, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Thu 13-May-10 13:53 by prod_rel_team

Image text-base: 0x00003000, data-base: 0x01600000

ROM: Bootstrap program is c2960sm boot loader

BOOTLDR: C2960SM Boot Loader (C2960SM-HBOOT-M) Version 12.2(52r)EX, RELEASE SOFTWARE (fc1)

Switch uptime is 2 hours, 17 minutes

System returned to ROM by power-on

System restarted at 06:01:43 UTC Wed Sep 4 2013

System image file is "flash:/c2960sm-lanbasek9-mz.122-52.EX1.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

cisco SM-ES2-24 (PowerPC405) processor with 131072K bytes of memory.

Processor board ID FOC16101RG1

Last reset from power-on

2 Virtual Ethernet interfaces

23 FastEthernet interfaces

3 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

64K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address       : 5C:50:15:3D:0D:80

Motherboard serial number       : FOC16101RG1

Model number                    : SM-ES2-24

System serial number            : FOC16101RG1

Hardware Board Revision Number  : 0x00

Switch Ports Model              SW Version            SW Image                

------ ----- -----              ----------            ----------              

*    1 26    SM-ES2-24          12.2(52)EX1           C2960SM-LANBASEK9-M     

Configuration register is 0xF

Switch#

Switch#

Switch#sh run

Building configuration...

Current configuration : 1840 bytes

!

! Last configuration change at 08:13:31 UTC Wed Sep 4 2013

! NVRAM config last updated at 08:13:31 UTC Wed Sep 4 2013

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

!

!

!

no aaa new-model

system mtu routing 1500

vtp mode transparent

authentication mac-move permit

ip subnet-zero

!

!

!

!

!

!

!

!

spanning-tree mode pvst

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 2222

!

!

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

switchport access vlan 2222

switchport mode access

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface GigabitEthernet0/1

switchport access vlan 2222

switchport mode access

load-interval 30

!

interface GigabitEthernet0/25

switchport mode trunk

load-interval 30

!

interface GigabitEthernet0/26

load-interval 30

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan2222

no ip address

no ip route-cache

!

ip http server

ip http secure-server

ip sla enable reaction-alerts

!

line con 0

exec-timeout 0 0

speed 115200

flowcontrol software

line vty 0 4

login

line vty 5 15

login

!

end

Switch#

お世話になります。

実機による検証まで行って頂き、ありがとうございます。

なお、こちらで発生した事象と比較してこちらではスイッチモジュール側のポート(頂いたconfigでは

interface FastEthernet0/14もしくはinterface GigabitEthernet0/1になるかと思われます。)

にHUB経由でLANアナライザ(Wireshark)を接続し、その地点でパケットをキャプチャした

ところACLではじく予定のパケットがキャプチャできており、スイッチモジュール側での

ポートにおけるACLが無効になっているのではと考えています。

ただ、こちらでその事象が起きた時はルータ上でのshow ACLコマンドでもヒットするはずの

パケットがヒットしておらずパケット数が変化しないという点でそちらでの検証結果と

異なっている為、この点も気になるところではあります。

以上、お忙しいところ検証、調査等本当にありがとうございます。