Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
1
Replies

Ciaco 3550 Source Port Based ACL's are not Matching PBR

Josh-Hill
Level 1
Level 1

‎06-24-2016 03:05 AM - edited ‎03-08-2019 06:21 AM

Config: 

route-map PLEX-SERVICE permit 10
match ip address PLEX-ACL
set ip next-hop 192.168.1.187

ip access-list extended PLEX-ACL
permit tcp host 192.168.10.10 eq 32400 any
permit tcp host 192.168.4.12 eq 32400 any

# sh sdm prefer
The current template is the default extended-match template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1K VLANs.

number of unicast mac addresses: 5K
number of igmp groups: 1K
number of qos aces: 1K
number of security aces: 1K
number of unicast routes: 4K
number of multicast routes: 1K

interface Vlan10
description Virtual Vlan 10
ip address 192.168.10.2 255.255.255.0
ip policy route-map PLEX-SERVICE

interface Vlan4
description HPN-DMZ
ip address 192.168.4.1 255.255.255.0
ip policy route-map PLEX-SERVICE

Logs

*Mar 1 00:21:21.067: IP: s=192.168.10.10 (Vlan10), d=192.168.10.255, len 78, policy rejected -- normal forwarding
*Mar 1 00:21:21.815: IP: s=192.168.10.10 (Vlan10), d=192.168.10.255, len 78, policy rejected -- normal forwarding
*Mar 1 00:21:22.043: IP: s=192.168.10.10 (Vlan10), d=192.168.10.255, len 49, policy rejected -- normal forwarding
*Mar 1 00:21:22.043: IP: s=192.168.10.10 (Vlan10), d=192.168.10.255, len 49, policy rejected -- normal forwarding
*Mar 1 00:21:22.567: IP: s=192.168.10.10 (Vlan10), d=192.168.10.255, len 78, policy rejected -- normal forwarding

So when i apply the ACL to the vlan interface directly i get match's (verified through the log command) so i know the ACL is correct. However when i use this ACL with the above Route-Map it does not catch. I have read at a few forums that on some switches you wont see the hits however i am not seeing outbound traffic on the network hop interfaces. Nor is my dummy ACL's incrementing.

Any help would be appreciated.

Labels:
0 Helpful
1 Reply 1

Mark Malone
VIP Alumni
VIP Alumni

‎06-24-2016 06:50 AM

sdm looks right , policy looks right

shot in the dark but did you try alter the acl just incase its having an issue I know it working in general but incase policy is not catching it right for some reason in software

try reorganize it

ip access-list extended PLEX-ACL
permit tcp host 192.168.10.10  any eq 32400
permit tcp host 192.168.4.12 any eq 32400

or change it too different type acl

access-list 199 permit tcp host 192.168.10.10  any eq 32400

You never now whats triggering it not to be caught could try if the 192.168.1.187 is not already in route table set ip default next-hop see if that catches it instead

if you have already tried options like this I would change the software just in case upgrade the ios

0 Helpful
Customers Also Viewed These Support Documents