From: Rik Guyler (rik@guyler.net)
Date: Thu Nov 02 2006 - 20:00:21 ART
I'm configuring a reflexive ACL on a 3750 and I'm having some problems
getting all traffic to be recognized by the reflection. The reflexive ACL
is applied inbound on a pair of internal L3 interfaces and the evaluate ACL
is applied inbound on an external L3 port-channel interface. I get some
hits in the reflexive ACL that gets created automatically but it won't
create entries for every session. If I apply both ACLs on the same
interface (the external port-channel interface) but in different directions
as the configuration guides specify, I don't get any matches.
I'm thinking this might be a bug but I've also considered the possibility
that the problem is trying to do this on a port-channel interface. Anybody
have any experience with this?
Here's the config:
interface Port-channel1
description outside network
no switchport
ip address 10.150.252.2 255.255.255.252
ip access-group inbound in
interface GigabitEthernet1/0/25
description inside network
no switchport
ip address 10.150.252.6 255.255.255.252
ip summary-address eigrp 1 10.150.0.0 255.255.0.0 5
ip access-group outbound in
!
interface GigabitEthernet1/0/26
description inside network
no switchport
ip address 10.150.252.10 255.255.255.252
ip summary-address eigrp 1 10.150.0.0 255.255.0.0 5
ip access-group outbound in
!
interface GigabitEthernet1/0/27
description outside network
no switchport
no ip address
channel-group 1 mode desirable
!
interface GigabitEthernet1/0/28
description outside network
no switchport
no ip address
channel-group 1 mode desirable
ip access-list extended inbound
permit ospf any any
permit icmp any any
evaluate tcptraffic
ip access-list extended outbound
permit tcp any any reflect tcptraffic
Thanks!
Rik
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART