Hello everyone,
I have a problem with the Catalyst 3850, about ACL.
On the 3850, I configured an extended ACL with more than 60 ACL entries, as follows:
interface Vlan110
ip address 10.110.10.1 255.255.255.0
ip access-group MGT-V110-ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim sparse-mode
SW01#show inter vlan 110
Vlan110 is up, line protocol is up
Hardware is Ethernet SVI, address is 2c86.d2c3.e84d (bia 2c86.d2c3.e84d)
Internet address is 10.110.10.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 4/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/208/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 6178000 bits/sec, 1967 packets/sec
5 minute output rate 17443000 bits/sec, 3078 packets/sec
154138521294 packets input, 63430780136941 bytes, 0 no buffer
Received 0 broadcasts (115009 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
333930193033 packets output, 393604448659988 bytes, 0 underruns
0 output errors, 1 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
ip access-list extended MGT-V110-ACL
permit icmp any any
permit udp any eq domain any
permit udp any any eq domain
permit ip any 224.0.0.0 0.0.0.255
permit udp any eq 5514 5515 any
remark SPLUNK-5
permit udp any any eq snmp
permit udp any eq snmp any
permit udp any any eq snmptrap
permit udp any eq snmptrap any
permit udp any any eq ntp
permit udp any eq ntp any
permit udp any any eq syslog
permit udp any eq syslog any
permit tcp any any established
permit tcp host 10.110.10.12 10.110.18.0 0.0.0.255 eq 22 443
permit tcp host 10.110.10.12 10.110.82.0 0.0.0.255 eq 22 telnet
permit tcp host 10.110.10.12 192.168.38.0 0.0.0.255 eq 22
permit tcp host 10.110.10.12 10.110.128.0 0.0.0.255 eq 22
remark IMCwangguan-2
permit ip host 10.110.10.82 10.110.18.0 0.0.0.255
permit ip host 10.110.10.82 10.110.82.0 0.0.0.255
permit ip host 10.110.10.82 192.168.38.0 0.0.0.255
permit ip host 10.110.10.82 10.110.128.0 0.0.0.255
remark SPLUNK-5
permit tcp host 10.110.10.8 10.110.0.0 0.0.0.255 eq 8089 9997
permit tcp host 10.110.10.8 10.110.1.0 0.0.0.255 eq 8089 9997
permit tcp host 10.110.10.8 10.110.3.0 0.0.0.255 eq 8089 9997
permit tcp host 10.110.10.9 10.110.0.0 0.0.0.255 eq 8089 9997
permit tcp host 10.110.10.9 10.110.1.0 0.0.0.255 eq 8089 9997
permit tcp host 10.110.10.9 10.110.3.0 0.0.0.255 eq 8089 9997
permit tcp host 10.110.10.10 10.110.0.0 0.0.0.255 eq 8089 9997
permit tcp host 10.110.10.10 10.110.1.0 0.0.0.255 eq 8089 9997
permit tcp host 10.110.10.10 10.110.3.0 0.0.0.255 eq 8089 9997
remark AllInOne-nbu
permit tcp host 10.110.10.13 any eq 22 3389 443 5899 telnet
permit tcp host 10.110.10.14 any eq 22 3389 443 5899 telnet
remark BaoLeiQianZhiJi-9
permit ip 10.110.10.116 0.0.0.1 host 10.110.8.30
permit ip 10.110.10.116 0.0.0.1 10.110.16.0 0.0.3.255
permit ip 10.110.10.116 0.0.0.1 10.110.8.0 0.0.1.255
permit ip 10.110.10.116 0.0.0.1 host 10.110.18.75
permit ip 10.110.10.116 0.0.0.1 host 10.110.1.129
remark NBUGuanLiJi-10
permit tcp host 10.110.10.35 object-group NBUGuanLiJi eq 1556 13724 13782 902 443
permit tcp host 10.110.10.99 object-group NBUGuanLiJi eq 1556 13724 13782 902 443
permit tcp host 10.110.10.122 object-group NBUGuanLiJi eq 1556 13724 13782 902 443
permit object-group Policy-11 object-group ZiDongHuaQieHuan host 10.110.10.159
remark QuShiShaDu-12
permit ip object-group QuShiShaDu object-group ShaDu
remark lenovoxclarityGuanLi-13
permit ip host 10.110.10.94 10.110.16.0 0.0.0.255
remark brocadebanGuanLi-15
permit ip host 10.110.10.97 10.110.17.0 0.0.0.255
remark ibm-tpcGuanLi-16
permit ip host 10.110.10.98 10.110.17.0 0.0.0.255
remark zabbix-vcenter-17
permit tcp host 10.110.10.109 host 10.110.8.30 eq 443
permit tcp host 10.110.10.137 host 10.110.8.30 eq 443
permit tcp host 10.110.10.138 host 10.110.8.30 eq 443
permit ip host 10.110.10.109 object-group agent
permit ip host 10.110.10.137 object-group agent
permit ip host 10.110.10.138 object-group agent
remark Policy-23
permit tcp host 10.110.10.103 host 10.110.0.135 eq www
permit tcp host 10.110.10.104 host 10.110.0.135 eq www
remark Policy-29
permit ip 10.110.10.86 0.0.0.1 any
remark Policy-30
permit ip any 10.110.10.86 0.0.0.1
remark YingFangTongBu-31
permit tcp host 10.110.10.163 object-group YingFangTongBu eq 26821
remark vplexZhongCai-32
permit ip host 10.110.10.136 10.110.17.0 0.0.0.255
remark exsiGuanLivcenter-38
permit ip host 10.110.10.115 host 10.110.8.30
remark waf-41
permit tcp host 10.110.10.58 10.110.18.164 0.0.0.1 eq 8080
remark ShaDu-42
permit tcp host 10.110.10.121 10.110.18.164 0.0.0.1 eq 8080
remark wsus-43
permit tcp host 10.110.10.90 10.110.18.164 0.0.0.1 eq 8080
remark VSM
permit ip host 10.110.10.123 10.110.8.0 0.0.0.255
permit ip host 10.110.10.123 10.110.9.0 0.0.0.255
remark waf-47
permit ip host 10.110.10.58 host 10.110.18.159
permit ip host 10.110.10.58 host 10.110.18.160
remark splunk-50
permit tcp host 10.110.10.8 host 10.110.3.8 eq 3306
remark nbu_XuJiHuiFu
permit tcp host 10.110.10.35 host 10.110.9.13 eq sunrpc 2049 7394
remark Policy-52
permit tcp host 10.110.10.8 host 10.110.0.41 eq smtp
remark itsm-mail
permit tcp 10.110.10.100 0.0.0.1 host 10.110.0.41 eq smtp
permit ip host 10.110.10.84 host 10.110.1.194
permit ip host 10.110.10.84 host 10.110.1.195
permit ip host 10.110.10.84 host 10.110.1.196
remark bst01App
permit ip host 10.110.10.36 host 10.110.1.194
permit ip host 10.110.10.36 host 10.110.1.195
permit ip host 10.110.10.36 host 10.110.1.196
permit ip host 10.110.10.84 host 10.110.1.90
permit ip host 10.110.10.84 host 10.110.1.91
permit ip host 10.110.10.84 host 10.110.1.92
permit tcp host 10.110.10.84 10.110.0.0 0.0.3.255 eq 1556 13720 13724 13782 13783 902 443
permit tcp host 10.110.10.84 10.110.8.0 0.0.1.255 eq 1556 13720 13724 13782 13783 902 443
remark AllInOne-nbu
permit tcp host 10.110.10.36 10.110.0.0 0.0.3.255 eq 1556 13720 13724 13782 13783 902 443
permit tcp host 10.110.10.36 10.110.8.0 0.0.1.255 eq 1556 13720 13724 13782 13783 902 443
permit ip host 10.110.10.139 host 10.110.18.166
permit ip host 10.110.10.84 host 10.110.1.190
permit ip host 10.110.10.84 host 10.110.1.192
permit ip host 10.110.10.84 host 10.110.1.193
permit ip host 10.110.10.84 host 10.110.1.191
If I remove an entry in the above ACL, the traffic of the SVI will be temporarily interrupted, including management traffic and normal traffic. What is especially strange is that I deleted some irrelevant items.
To this end, I also did a test, adding an arbitrary entry at the end of the ACL. For example, the following information:
===========================================
Ip access-list extended MGT-V110-ACL
999 permit host 1.1.1.1 host 2.2.2.2
Then I delete it again.
Ip access-list extended MGT-V110-ACL
no 999
===========================================
At this time, the traffic interruption occurred. So, I think this is very strange. Have you encountered such a problem? Can you help me solve this problem?
thank you very much.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
.jpg "VIP Collaborator"){kind=icon}
