Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1006
Views
0
Helpful
2
Replies

C9300: Routing ACL's on Tunnel interfaces don't work for outbound

Nadav
Level 7
Level 7

‎01-23-2020 12:52 AM

Hi everyone,

 

I'm testing Catalyst 9300's with 16.12.x softwar.e

 

I have a GRE tunnel between two stacks of 9300's. I'm trying to apply an ACL on the tunnel interfaces which connect them (extended with object groups, but also tried a simple one without object groups). 

 

For the inbound on the Tunnel interface, they work as expected.

For outbound, it doesn't block anything at all. Even if I were to put a "permit ip any any log" or "deny ip any any log" I wouldn't see anything blocked or in the log. 

 

Is this a known limitation of the 9300 platform? For ISR's and ASR's, outbound on Tunnels works just fine. But I realize that switches may have certain limitations, even though I couldn't find this one in the documentation.

 

Thanks!

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎01-23-2020 01:32 AM

Hi,

 

You said you have GRE between two devices and switches are between GRR devices ?

 

Can you describe more at what type of interface you apply the tunnel ? Layer 3 or later 2 or it is SVI ?

0 Helpful

Nadav
Level 7
Level 7
In response to Muhammad Awais Khan

‎01-23-2020 07:13 AM

Hi,

 

The GRE is configured on the two 9300 stacks, as seen here:

 

gre filtering.jpg

 

The filter is configured on the GRE tunnel interface of the 9300. The tunnel source is an SVI, and the destination is the SVI of the opposite stack.

0 Helpful
Customers Also Viewed These Support Documents