Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
0
Helpful
1
Replies

Weird ACL Issue

Tom Marcoen
Level 1
Level 1

‎05-16-2013 02:14 AM - edited ‎03-11-2019 06:44 PM

Hey Guys,

I'm experiencing a weird ACL issue and I'm clueless about the possible cause. I have two switches running HSRP for VLAN 400 (might not be relevant, but I thought I'ld mention it anyway). Since this VLAN runs production devices, we have ACLs inbound and outbound to regulate the traffic going into and out of the subnet.

The last two lines of this ACL are as follows:

270  deny   icmp any  10.10.10.0 0.0.0.255 log

280  permit ip   any  any

I have two devices pinging the HSRP address of this VLAN (10.10.10.1): my workstation and a monitoring server. When my workstation does the ping, it hits rule #280 (I can see the counter increasing). This surprises me since it should be blocked by rule #270.

When I ping this exact same IP address (10.10.10.1) from the monitoring server, I can a block. Wireshark tells me: Destination unreachable (communication administratively filtered). This is the expected behaviour.

However, the monitoring server used to be able to ping this IP address and the ACL has not been altered in months. So something weird happened causing the ACL to actually do its job... sometimes.

Does anyone has a clue as to why my workstation hits the wrong rule and why the monitoring server used to hit the wrong rule but now not anymore?

Kind regards,

Tom

Labels:
0 Helpful
1 Reply 1

saurabhgoel169
Level 1
Level 1

‎05-16-2013 07:35 PM

HI Tom,

please share the config , or topology so I can troubleshoot it further.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card