ME3600 ACL out does not work or does not seem to work
description Trianel Krefelderstr.
ip vrf forwarding trianel
ip address 10.107.241.253 255.255.255.252
no ip proxy-arp
ip access-group trianel-flexpool-btc-zugriff-in in
ip access-group trianel-flexpool-btc-zugriff-out out
ip ospf network point-to-point
no cdp enable
no lldp transmit
sw04000154#sh ip access-lists trianel-flexpool-btc-zugriff-out
Extended IP access list trianel-flexpool-btc-zugriff-out
10 permit ip 10.0.225.16 0.0.0.7 10.186.133.0 0.0.0.255
20 permit ip 10.0.225.48 0.0.0.7 10.186.133.0 0.0.0.255
30 permit ip host 10.160.120.10 10.186.133.0 0.0.0.255
40 permit ip host 10.1.100.10 10.186.133.0 0.0.0.255
50 permit ip host 10.2.100.20 10.186.133.0 0.0.0.255
59 permit icmp 10.106.152.0 0.0.3.255 10.186.133.0 0.0.0.255 reflect relexive
60 permit ip 10.106.152.0 0.0.3.255 10.186.133.0 0.0.0.255 reflect reflect_trianel-flexpool-btc-zugriff
90 deny ip any 10.186.133.0 0.0.0.255 log-input
100 permit ip any any
sw04000154#sh ip access-lists trianel-flexpool-btc-zugriff-in
Extended IP access list trianel-flexpool-btc-zugriff-in
10 permit ip 10.186.133.0 0.0.0.255 10.0.225.16 0.0.0.7
20 permit ip 10.186.133.0 0.0.0.255 10.0.225.48 0.0.0.7
30 permit ip 10.186.133.0 0.0.0.255 host 10.160.120.10
40 permit ip 10.186.133.0 0.0.0.255 host 10.1.100.10
50 permit ip 10.186.133.0 0.0.0.255 host 10.2.100.20
59 evaluate relexive
60 evaluate reflect_trianel-flexpool-btc-zugriff
70 permit icmp 10.186.133.0 0.0.0.255 10.106.152.0 0.0.3.255
90 deny ip 10.186.133.0 0.0.0.255 any (18 matches)
100 permit ip any any (2511 matches)
The outgoing ACL seems not to work as counters does not increase.
The reflexive ACL is still empty when i make a ping from 10.106.152.0/22 --> 10.186.133.1
As so the ACL does not increase at the "evaluate" lines.
By the way, I don t trust the ACL in Counters, because 2511 matches after 4 hours with ~100 Mbit... I guess this can't be right to...: sw04000154#sh int gi0/1 30 second input rate 2051000 bits/sec, 1182 packets/sec 30 second output rate 14006000 bits/sec, 1778 packets/sec
Well, the routing uplink to core is mpls/bgp vpnv4 (ospf as underlying in global routing context).
The Downlink side at gi0/1 is not under my administration, and i want to disallow some outgoing traffic to.
The following documents are reviewed on the Ask The Experts Session titled: Use Case Overview and Planning: Cisco DNA Center Project Planning.
Here you can find editable versions of the
Solution Requirements Document UCOP_CiscoDNACenterProjectPlann...
If so, we’d like to speak with you to understand you and your team’s process on how you monitor and troubleshoot network traffic.
We ask that you complete our brief survey: https://ciscoux.az1.qualtrics.com/jfe/form/SV_d4LYJ5oWqWj9CCy Based on your ...
Listen: https://smarturl.it/CCRS8E38 Follow us: twitter.com/CiscoChampionAdding learning capabilities to the internet will increase the overall network SLO and application experience. Real data driven experiments have shown that such an approach...
Listen: https://smarturl.it/CCRS8E37Follow us: twitter.com/ciscochampionSometimes, situations require temporary fixes. Sometimes, the network becomes an afterthought in overall office design and planning. In either situation, it may require netw...
In this special edition of the Insider Series, we hear from Cisco partners who have taken steps to be more eco-friendly and sustainable. We hear what inspires ASHRAE, Southwire, Igor, and NTT to create a workplace that is centered around people and how th...