Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
0
Replies

ME3600 ACL out does not work or does not seem to work

regioit_netzwerk
Level 1
Level 1

‎01-22-2018 10:44 AM - edited ‎03-08-2019 01:31 PM

 

interface GigabitEthernet0/1
 description Trianel Krefelderstr.
 no switchport
 bandwidth 1000000
 ip vrf forwarding trianel
 ip address 10.107.241.253 255.255.255.252
 no ip proxy-arp
 ip access-group trianel-flexpool-btc-zugriff-in in
 ip access-group trianel-flexpool-btc-zugriff-out out
 ip ospf network point-to-point
 load-interval 30
 no cdp enable
 no lldp transmit
end

sw04000154#sh ip access-lists trianel-flexpool-btc-zugriff-out
Extended IP access list trianel-flexpool-btc-zugriff-out
    10 permit ip 10.0.225.16 0.0.0.7 10.186.133.0 0.0.0.255
    20 permit ip 10.0.225.48 0.0.0.7 10.186.133.0 0.0.0.255
    30 permit ip host 10.160.120.10 10.186.133.0 0.0.0.255
    40 permit ip host 10.1.100.10 10.186.133.0 0.0.0.255
    50 permit ip host 10.2.100.20 10.186.133.0 0.0.0.255
    59 permit icmp 10.106.152.0 0.0.3.255 10.186.133.0 0.0.0.255 reflect relexive
    60 permit ip 10.106.152.0 0.0.3.255 10.186.133.0 0.0.0.255 reflect reflect_trianel-flexpool-btc-zugriff
    90 deny ip any 10.186.133.0 0.0.0.255 log-input
    100 permit ip any any
sw04000154#

sw04000154#sh ip access-lists trianel-flexpool-btc-zugriff-in
Extended IP access list trianel-flexpool-btc-zugriff-in
    10 permit ip 10.186.133.0 0.0.0.255 10.0.225.16 0.0.0.7
    20 permit ip 10.186.133.0 0.0.0.255 10.0.225.48 0.0.0.7
    30 permit ip 10.186.133.0 0.0.0.255 host 10.160.120.10
    40 permit ip 10.186.133.0 0.0.0.255 host 10.1.100.10
    50 permit ip 10.186.133.0 0.0.0.255 host 10.2.100.20
    59 evaluate relexive
    60 evaluate reflect_trianel-flexpool-btc-zugriff
    70 permit icmp 10.186.133.0 0.0.0.255 10.106.152.0 0.0.3.255
    90 deny ip 10.186.133.0 0.0.0.255 any (18 matches)
    100 permit ip any any (2511 matches)


/me360x-universalk9-mz.154-3.S4/me360x-universalk9-mz.154-3.S4.bin"

The outgoing ACL seems not to work as counters does not increase.

The reflexive ACL is still empty when i make a ping from 10.106.152.0/22 --> 10.186.133.1

 

As so the ACL does not increase at the "evaluate" lines.

 

By the way, I don t trust the ACL in Counters, because 2511 matches after 4 hours with ~100 Mbit... I guess this can't be right to...:
 sw04000154#sh int gi0/1
  30 second input rate 2051000 bits/sec, 1182 packets/sec
  30 second output rate 14006000 bits/sec, 1778 packets/sec

Well, the routing uplink to core is mpls/bgp vpnv4 (ospf as underlying in global routing context).

 

The Downlink side at gi0/1 is not under my administration, and i want to disallow some outgoing traffic to.

 

 

So, has somebody an idea, whats going wrong?

 

thanks a lot

 

Robert

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card