Hi all.
U.P.D. Ok, problem is solved, if workaround can be seen as a fix. It's a bug unfortunately, if You check my config, You'll see that I created two ACL rules with some ACE's and bind them to Vlan's, those Vlan's is trunked to other switch thru Port-Channel. After every reload of switch, something going wrong, so ACL's stop working, partially, but if I remove and add back port from/to Port-Channel, all goes to normal state. I can't figure how to send a bug report, so if someone can help me with, I'll appreciate that.
What I'm trying to do, is to get basic filtering on SG300, that configured in router mode.
config-file-header
sg300-csw01-nya
v1.4.1.3 / R800_NIK_1_4_194_194
CLI v1.0
set system mode router
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
no cdp run
spanning-tree priority 4096
port jumbo-frame
lacp system-priority 10
vlan database
vlan 10,20,30,40,50,60
exit
voice vlan state disabled
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
port-channel load-balance src-dst-mac-ip
no lldp run
loopback-detection enable
ip dhcp relay address 172.16.40.203
ip dhcp relay enable
no boot host auto-config
no boot host auto-update
no bonjour enable
ip access-list extended ac-wfnw
permit udp 172.16.50.0 0.0.0.255 any 172.16.40.203 0.0.0.0 domain ace-priority 10
permit tcp 172.16.50.0 0.0.0.255 any 172.16.40.203 0.0.0.0 domain ace-priority 20
deny ip any 172.16.20.0 0.0.0.255 ace-priority 1000
deny ip any 172.16.40.0 0.0.0.255 ace-priority 1010
deny ip any 172.16.60.0 0.0.0.255 ace-priority 1020
permit ip any any ace-priority 2000
exit
ip access-list extended ac-canw
permit ip 172.16.60.51 0.0.0.0 172.16.20.0 0.0.0.255 ace-priority 10
deny ip any 172.16.20.0 0.0.0.255 ace-priority 1000
deny ip any 172.16.50.0 0.0.0.255 ace-priority 1010
permit ip any any ace-priority 2000
exit
hostname sg300-csw01-nya
encrypted radius-server host radius.corp.sibekotech.ru key ---
radius-server host source-interface vlan 20
aaa authentication login default radius local
no passwords complexity enable
passwords aging 0
username cisco password encrypted --- privilege 15
username zanswer password encrypted --- privilege 15
ip ssh server
ip ssh password-auth
snmp-server server
snmp-server engineID local 800000090308d09f71612a
snmp-server view noc iso included
snmp-server view noc ifName.3000 excluded
snmp-server view noc ifName.7000 excluded
snmp-server view noc ifName.20000 excluded
snmp-server view noc ifName.100000 excluded
snmp-server view noc ifName.100009 excluded
snmp-server view noc ifName.100019 excluded
snmp-server view noc ifName.100029 excluded
snmp-server view noc ifName.100039 excluded
snmp-server view noc ifName.100049 excluded
snmp-server view noc ifName.100059 excluded
snmp-server group noc v3 priv read noc
encrypted snmp-server user noc noc v3 auth sha --- priv ---
no ip http server
no ip http secure-server
clock timezone YEKT +5
clock source sntp
sntp unicast client enable
sntp unicast client poll
sntp server ntp.corp.sibekotech.ru poll
sntp source-interface vlan 20
ip domain name corp.sibekotech.ru
ip name-server 172.16.40.203
!
interface vlan 1
no ipv6 address autoconfig
no ipv6 enable
shutdown
!
interface vlan 10
name vl-blhl
!
interface vlan 20
name vl-mgmt
ip address 172.16.20.254 255.255.255.0
!
interface vlan 30
name vl-ronw
ip address 172.16.30.253 255.255.255.252
!
interface vlan 40
name vl-srnw
ip address 172.16.40.254 255.255.255.0
!
interface vlan 50
name vl-wfnw
ip address 172.16.50.254 255.255.255.0
ip dhcp relay enable
service-acl input ac-wfnw
!
interface vlan 60
name vl-canw
ip address 172.16.60.254 255.255.255.0
service-acl input ac-canw
!
interface gigabitethernet1
loopback-detection enable
shutdown
description not-conf
spanning-tree link-type point-to-point
spanning-tree guard root
switchport mode access
switchport access vlan 10
!
interface gigabitethernet2
loopback-detection enable
shutdown
description not-conf
spanning-tree link-type point-to-point
spanning-tree guard root
switchport mode access
switchport access vlan 10
!
interface gigabitethernet3
loopback-detection enable
shutdown
description not-conf
spanning-tree link-type point-to-point
spanning-tree guard root
switchport mode access
switchport access vlan 10
!
interface gigabitethernet4
loopback-detection enable
shutdown
description not-conf
spanning-tree link-type point-to-point
spanning-tree guard root
switchport mode access
switchport access vlan 10
!
interface gigabitethernet5
loopback-detection enable
shutdown
description not-conf
spanning-tree link-type point-to-point
spanning-tree guard root
switchport mode access
switchport access vlan 10
!
interface gigabitethernet6
loopback-detection enable
description crt01-ge01
spanning-tree portfast
spanning-tree link-type point-to-point
spanning-tree bpduguard enable
switchport mode access
switchport access vlan 30
!
interface gigabitethernet7
loopback-detection enable
shutdown
description srv01-eth1
lacp port-priority 10
spanning-tree link-type point-to-point
spanning-tree guard root
channel-group 2 mode auto
switchport mode access
!
interface gigabitethernet8
loopback-detection enable
shutdown
description srv01-eth2
lacp port-priority 10
spanning-tree link-type point-to-point
spanning-tree guard root
channel-group 2 mode auto
switchport mode access
!
interface gigabitethernet9
loopback-detection enable
shutdown
description asw01-gi01
lacp port-priority 10
spanning-tree link-type point-to-point
spanning-tree guard root
channel-group 1 mode auto
switchport mode access
!
interface gigabitethernet10
loopback-detection enable
shutdown
description asw01-gi02
lacp port-priority 10
spanning-tree link-type point-to-point
spanning-tree guard root
channel-group 1 mode auto
switchport mode access
!
interface Port-channel1
speed 1000
loopback-detection enable
description asw01-po1
spanning-tree link-type point-to-point
spanning-tree guard root
switchport trunk allowed vlan add 20,40,50,60
switchport trunk native vlan 10
!
interface Port-channel2
speed 1000
loopback-detection enable
description srv01-bond0
spanning-tree portfast
spanning-tree link-type point-to-point
spanning-tree bpduguard enable
switchport trunk allowed vlan add 40
switchport trunk native vlan 10
!
interface Tunnel 1
shutdown
!
exit
ip default-gateway 172.16.30.254
I've created one ACL with one ACE and binded it to Vlan 50. But problem is, that I can ping some hosts, how traffic can flow thru interface if all traffic is blocked on it?!
Wireless AP connected to SF300, that configured in switch mode, so it can't do any routing. I do not understand how and I can't find a way to troubleshoot this behavior.
