cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1849
Views
10
Helpful
7
Replies

ACL randomly stops working on 2960X.

Tom.R
Level 1
Level 1

I have a 2960X POE switch that I have used to isolate a server. I am using an ACL to limit user access to it and also have a backup appliance that needs to connect to the server to keep the backup's up to date. BUT... the backup server keeps losing connection to the server I'm trying to isolate. What's weird is... after removing the ACL from the interface... trace-routes still fail. 

 

I'd assume the switches would find where they're supposed to go via L2 discovery... but I've even tried static routes with ip routing enabled and it's still flaky. Every other device we have can connect without any issues.

 

Any thoughts? 

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

Can you please post the configuration and explain what port the server connected. also suggest to post show version to see any bugs around.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for your response! Yes, I have attached the file with the "sh ver" and "sh run" The server has two uplinks. We are trying to hit it from G1/0/47 where the management interface is (197.62.20.51). Interface VLAN200 isn't really in use...

 

Pay no mind to the subent... they were established long ago before the were deemed unsuitable for private use. 

Hi,

So, you are putting both the server management interface and the data in the same vlan (vlan1). I see no vlans configured for any of the interfaces and assuming you are using vlan 1. Is that correct? Usually the management interface and data should not be in the same vlan/subnet.   What is the ip for the server (data)? and what happen when you ping the backup device from the server and vice versa?

HTH

So we had that setup before. The Management IP was on VLAN200: 192.168.200.X and the data was coming in on VLAN1. It worked for a day and then the backup system lost connection to the isolated server for no reason. We assumed it was an inter-VLAN routing issue which is why we opted to put them both on the same vlan... and it worked for a couple days then stopped unexpectedly. 

 

Ping works both ways however trace route wouldn't work from backup system to isolated server and would sometimes work the other direction. The Data IP for the server is 197.62.20.99. I've investigated routing issues further down but what's weird is, trace routes from the core switch stop cold at this switch I'm trying to implement but ping is clean.

So we had that setup before. The Management IP was on VLAN200: 192.168.200.X and the data was coming in on VLAN1. It worked for a day and then the backup system lost connection to the isolated server for no reason. We assumed it was an inter-VLAN routing issue which is why we opted to put them both on the same vlan... and it worked for a couple days then stopped unexpectedly. 

Having 2 different vlans will not cause this issue. As I noted before, it is actually good practice to put the management in a different vlan.

Anyway, with the current setup can you try and change the gateway from 

ip route 0.0.0.0 0.0.0.0 197.62.20.1
to
no ip route 0.0.0.0 0.0.0.0 197.62.20.1
and than
ip default-gateway 197.62.20.1 
and test again?
Also, I know the ACLs are not applied to any interface but of the above change does not help, can you remove all ACLs and test again?
HTH

Yes... and I'm guessing this is with IP routing disabled?

You can but you don't have to necessarily disable IP routing. 

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: