Hi Jon,

From remote site the IP address for PC is 172.17.1.120  and i can ping the core 1 and 2 (172.20.201.225/226)  but i can't telnet this IP address (172.20.201.225) only i able to telnet by this IP address 172.20.200.6 but access Core2 not 1.below full access-list:

access-list 101 permit ip host 172.17.1.120 host 172.20.201.225
access-list 101 permit ip host 172.17.1.120 host 172.20.200.6
access-list 101 permit ip host 172.17.114.40 host 172.20.201.225
access-list 101 permit ip host 172.17.114.40 host 172.20.200.6
access-list 101 permit ip host 172.17.116.3 host 172.20.201.225
access-list 101 permit ip host 172.17.116.3 host 172.20.200.6
access-list 101 permit ip host 172.17.116.11 host 172.20.201.225
access-list 101 permit ip host 172.17.116.11 host 172.20.200.6
access-list 101 permit tcp host 172.17.116.3 host 172.20.201.225 eq 443
access-list 101 permit tcp host 172.17.116.3 host 172.20.200.6 eq 443
access-list 101 permit tcp host 172.17.116.11 host 172.20.201.225 eq 443
access-list 101 permit tcp host 172.17.116.11 host 172.20.200.6 eq 443
access-list 101 permit tcp host 172.17.114.40 host 172.20.201.225 eq 443
access-list 101 permit tcp host 172.17.114.40 host 172.20.200.6 eq 443
access-list 101 permit tcp host 172.17.1.100 any
access-list 101 permit tcp host 172.17.1.120 any
access-list 101 deny   tcp any host 172.17.1.42
access-list 101 permit ip any any
access-list 101 deny   tcp any host 172.20.201.225
access-list 101 deny   tcp any host 172.20.200.6
!

i don't why i can't telnet the real IP address and why when telnet by GLBP IP address i access Core2 not Core1.

Thanks

Your acl has a "permit ip any any", is this just for testing because if isn't you don't need all those other lines and the deny lines at the end never get used.

Can you post a "sh glbp brief".

Jon

Hi Jon,

1. since i apply permit ip any any, still i can't telnet core#1 or Core#2 from different subnet but i can telnet from the same subnet? why?

2. is GLBP configuration wrong?

3. if i want to modify the access-list to remove the permit ip any any do i need to do:

access-list 101 permit ip host 172.17.1.120 host 172.20.201.225
access-list 101 permit ip host 172.17.1.120 host 172.20.200.6
access-list 101 permit ip host 172.17.114.40 host 172.20.201.225
access-list 101 permit ip host 172.17.114.40 host 172.20.200.6
access-list 101 permit ip host 172.17.116.3 host 172.20.201.225
access-list 101 permit ip host 172.17.116.3 host 172.20.200.6
access-list 101 permit ip host 172.17.116.11 host 172.20.201.225
access-list 101 permit ip host 172.17.116.11 host 172.20.200.6
access-list 101 permit tcp host 172.17.116.3 host 172.20.201.225 eq 443
access-list 101 permit tcp host 172.17.116.3 host 172.20.200.6 eq 443
access-list 101 permit tcp host 172.17.116.11 host 172.20.201.225 eq 443
access-list 101 permit tcp host 172.17.116.11 host 172.20.200.6 eq 443
access-list 101 permit tcp host 172.17.114.40 host 172.20.201.225 eq 443
access-list 101 permit tcp host 172.17.114.40 host 172.20.200.6 eq 443
access-list 101 permit tcp host 172.17.1.100 any
access-list 101 permit tcp host 172.17.1.120 any
access-list 101 deny tcp any host 172.17.1.42
access-list 101 deny tcp any host 172.20.201.225
access-list 101 deny tcp any host 172.20.200.6

or

access-list 101 permit ip host 172.17.1.120 host 172.20.201.225
access-list 101 permit ip host 172.17.1.120 host 172.20.200.6
access-list 101 permit ip host 172.17.114.40 host 172.20.201.225
access-list 101 permit ip host 172.17.114.40 host 172.20.200.6
access-list 101 permit ip host 172.17.116.3 host 172.20.201.225
access-list 101 permit ip host 172.17.116.3 host 172.20.200.6
access-list 101 permit ip host 172.17.116.11 host 172.20.201.225
access-list 101 permit ip host 172.17.116.11 host 172.20.200.6
access-list 101 permit tcp host 172.17.116.3 host 172.20.201.225 eq 443
access-list 101 permit tcp host 172.17.116.3 host 172.20.200.6 eq 443
access-list 101 permit tcp host 172.17.116.11 host 172.20.201.225 eq 443
access-list 101 permit tcp host 172.17.116.11 host 172.20.200.6 eq 443
access-list 101 permit tcp host 172.17.114.40 host 172.20.201.225 eq 443
access-list 101 permit tcp host 172.17.114.40 host 172.20.200.6 eq 443
access-list 101 permit tcp host 172.17.1.100 any
access-list 101 permit tcp host 172.17.1.120 any
 

no need to add deny for these "

access-list 101 deny tcp any host 172.17.1.42
access-list 101 deny tcp any host 172.20.201.225
access-list 101 deny tcp any host 172.20.200.6"

Please advise

Hi Andre/Jon,

Thanks for your informations now is clear.