01-23-2020 12:52 AM
Hi everyone,
I'm testing Catalyst 9300's with 16.12.x softwar.e
I have a GRE tunnel between two stacks of 9300's. I'm trying to apply an ACL on the tunnel interfaces which connect them (extended with object groups, but also tried a simple one without object groups).
For the inbound on the Tunnel interface, they work as expected.
For outbound, it doesn't block anything at all. Even if I were to put a "permit ip any any log" or "deny ip any any log" I wouldn't see anything blocked or in the log.
Is this a known limitation of the 9300 platform? For ISR's and ASR's, outbound on Tunnels works just fine. But I realize that switches may have certain limitations, even though I couldn't find this one in the documentation.
Thanks!
01-23-2020 01:32 AM
Hi,
You said you have GRE between two devices and switches are between GRR devices ?
Can you describe more at what type of interface you apply the tunnel ? Layer 3 or later 2 or it is SVI ?
01-23-2020 07:13 AM
Hi,
The GRE is configured on the two 9300 stacks, as seen here:
The filter is configured on the GRE tunnel interface of the 9300. The tunnel source is an SVI, and the destination is the SVI of the opposite stack.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide