Paul, - Page 2

dtango2010 · ‎07-05-2017

Hello,

I'm using stack of two C2960X in L3 mode:

ZZZ-L3#sh sdm prefer
The current template is "lanbase-routing" template.

I have two Vlans and I need to block traffic between them. The problem is the second vlan is located on the other switch.

So Here is my setup:

LAN (VLAN1)--[ZZZ-L3]--trunk port--[YYY-L2]-- Vlan10

ip routing
no ip cef optimize neighbor resolution
...
interface Vlan1
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip proxy-arp
end

interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 111 out
no ip redirects
no ip proxy-arp
end

ZZZ-L3#sh access-lists 111
Extended IP access list 111
10 permit tcp host 192.168.1.50 host 192.168.10.50 eq 4899
20 deny ip any any log

ZZZ-L33#sh ver

...
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
1 28 WS-C2960X-24TS-L 15.2(2)E6 C2960X-UNIVERSALK9-M
* 2 28 WS-C2960X-24TS-L 15.2(2)E6 C2960X-UNIVERSALK9-M

I can confirm that ACL works:

RDP from 192.168.1.50 to 192.168.10.50 works OK.

And, If I ping 192.168.1.50 from 192.168.10.50 I receive "Request timed out."

However, I don't see any "%SEC-6-IPACCESSLOGDP: list 111 denied " in the log on the switch.

The other strange thing is that if I ping IP that doesn't exist in subnet 192.168.10.x - for example 192.168.10.60

First: I receive "Destination net ureachable" , but not a "Request timed out.".

Second: Deny log message shows up in the log:

%SEC-6-IPACCESSLOGDP: list 111 denied icmp 192.168.1.50 -> 192.168.10.60 (8/0), 1 packet

One more thing, If I define switch port in VLAN 10 on ZZZ-L3 and connect 192.168.10.50 directly to ZZZ-L3,

then "%SEC-6-IPACCESSLOGDP: list 111 denied" is starting shows up int the log.

Any idea about such a strange behavior?

Thank you in advance,

Alex.

dtango2010 · ‎07-07-2017

Julio,
Thank you for all your responses.

Unfortunately, "ip access-list logging interval" didn't help as well.

As I mentioned to Paul above, I'm going to either create a ticket with TAC or simply close the topic.

I was able reproduce the same issue with the other stack I have.

So, probably L3 stack of 2xC2960X was not a best idea.

C2960X with lan-based IOS in L3 mode is not widely used (especially in stack), so may be this is why this was not reported before.

And yes, let's call this "a feature" :).

Thks,

Alex.

Julio E. Moisa · ‎07-07-2017

Thank you Alex, please keep us posted about the resolution.

Have a good day.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

paul driver · ‎07-06-2017

Hello

Can you post - Show logging

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

dtango2010 · ‎07-06-2017

Paul,

Please check the post about ACL 115.

Thks,

AleX

C2960X in L3 mode doesn't log ACL deny packets.