Change ACL denies for unreachable ip's?

K-Grev · ‎09-04-2020

Hi,

Currently, our 6500 switch logs unreachable ip addresses as "denies" in it's Syslog messages.

And to be more specific, it will allow traffic to a host, but if that host goes offline and can't reach it, the packet is denied under the acl that normally allows it.

I believe this is common practice but for personnel keeping track of Syslog information it comes across weird when something that normally is allowed shoes as denied.

Does anyone know of a way to modify this?

For more info, we have ASR901's connected over fiber to a 6500. When an ASR goes down from power loss we will see the deny statements.

Thanks for any advise.

balaji.bandi · ‎09-04-2020

how is that automatic process running background, do you have EEM Script or ACL?

or post the device configuration to look.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎09-04-2020

Hello,

set the value in the ip icmp rate-limit to the highest value, which is 4294967295 milliseconds (about 1 week). That way, only one message will be generated once a week.

6500(config)#ip icmp rate-limit unreachable 4294967295

Cisco Freak · ‎09-04-2020

Can you please post relevant configs?

CF

paul driver · ‎09-05-2020

Hello

TBH not sure I understand, Are you saying you have acl policy's that deny icmp unreachables, or you have something like null statics to your advertised subnets for hosts that are unreachable?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul