ACL and debug ip packet questions

From: George He (georgeh@adstream.com.au)
Date: Sun Nov 09 2003 - 21:13:18 GMT-3

• Next message: David Deng: "RE: help on TFTP server support more than 32MB"
• Previous message: C: "RE: help on TFTP server support more than 32MB"
• Next in thread: Enrico Asproni: "Re: ACL and debug ip packet questions"
• Maybe reply: Enrico Asproni: "Re: ACL and debug ip packet questions"
• Maybe reply: George He: "RE: ACL and debug ip packet questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi group,

I have two questions on ACL and debug ip packet. Please see topology
bellow.

Question:

1. With access-l 101 like bellow

access-list 101 permit tcp 1.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255 eq
135
access-list 101 permit tcp 192.168.100.0 0.0.0.255 1.1.1.0 0.0.0.255 eq
135

I can telnet 1.1.1.2 135 from 192.168.100.170, but I can not telnet
192.168.100.170 135 from 1.1.1.2. Why? I think I should be able to
telnet both side successfully.

After I added

access-list 101 permit tcp 192.168.100.0 0.0.0.255 1.1.1.0 0.0.0.255
established

It's ok. Why?

2. When I enter "debug ip packet 101", and tried to telnet to 1.1.1.2
from 192.168.100.170. I can not see any packet on the console of the
router. But "debug ip packet" works fine. As you know I disabled ip
route-cache on interface vlan1 and vlan2 still can not see any packets.

any comments many thanks.

Topology and configuration:

Host1(192.168.100.170/24)------(Vlan1 192.168.100.16/24) Switch (VLAN2
1.1.1.1/24)---------Host2(1.1.1.2/24)

Switch#sh run
Building configuration...

Current configuration : 3106 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 $1$9TmA$IBABpTPxa4675WV1AdIP6.
!
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
interface GigabitEthernet1/0/1
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 switchport access vlan 2
 switchport mode access
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/10
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/14
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/15
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/16
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/17
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/22
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/23
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/24
 no ip address
 mdix auto
 spanning-tree portfast
!
interface GigabitEthernet1/0/25
 no ip address
!
interface GigabitEthernet1/0/26
 no ip address
!
interface GigabitEthernet1/0/27
 no ip address
!
interface GigabitEthernet1/0/28
 no ip address
!
interface Vlan1
 ip address 192.168.100.16 255.255.255.0
 no ip route-cache
 no ip mroute-cache
!
interface Vlan2
 ip address 1.1.1.1 255.255.255.0
 ip access-group 101 out
 no ip route-cache
 no ip mroute-cache
!
ip classless
ip http server
!
access-list 101 permit tcp 1.1.1.0 0.0.0.255 192.168.100.0 0.0.0.255 eq
135
access-list 101 permit tcp 192.168.100.0 0.0.0.255 1.1.1.0 0.0.0.255 eq
135
!
line con 0
 logging synchronous
line vty 0 4
 logging synchronous
 no login
line vty 5 15
 logging synchronous
 no login
!
end

Switch#

Regards

George

• Next message: David Deng: "RE: help on TFTP server support more than 32MB"
• Previous message: C: "RE: help on TFTP server support more than 32MB"
• Next in thread: Enrico Asproni: "Re: ACL and debug ip packet questions"
• Maybe reply: Enrico Asproni: "Re: ACL and debug ip packet questions"
• Maybe reply: George He: "RE: ACL and debug ip packet questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:09 GMT-3