RE: Reflexive ACL on 3750 switch

From: Rik Guyler (rik@guyler.net)
Date: Fri Nov 03 2006 - 10:51:22 ART

• Next message: anthony.sequeira@thomson.com: "CCIE Recertification Question of the Week - NOV0306"
• Previous message: istong@stong.org: "Re: Privilege level"
• Maybe in reply to: Rik Guyler: "Reflexive ACL on 3750 switch"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Looks like I can answer my own question...

Even though all of the commands were available and taken for RACLs on the
3750 and it did build a dynamic list for traffic to the switch, it appears
that RACLs are not supported on the 3750. At least I can't find anything
that says it does but then again, I didn't find anything that said it
doesn't. Either way, it looks like it's not going to work.

I'm not real keen on the fact that they just kept the commands in there for
unsupported features. Must have gone cheap on the proofreading of the new
code when the 3750s came out. ;-)

Rik

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Rik
Guyler
Sent: Thursday, November 02, 2006 6:00 PM
To: ccielab@groupstudy.com
Subject: Reflexive ACL on 3750 switch

I'm configuring a reflexive ACL on a 3750 and I'm having some problems
getting all traffic to be recognized by the reflection. The reflexive ACL
is applied inbound on a pair of internal L3 interfaces and the evaluate ACL
is applied inbound on an external L3 port-channel interface. I get some
hits in the reflexive ACL that gets created automatically but it won't
create entries for every session. If I apply both ACLs on the same
interface (the external port-channel interface) but in different directions
as the configuration guides specify, I don't get any matches.

I'm thinking this might be a bug but I've also considered the possibility
that the problem is trying to do this on a port-channel interface. Anybody
have any experience with this?

Here's the config:

interface Port-channel1
 description outside network
 no switchport
 ip address 10.150.252.2 255.255.255.252 ip access-group inbound in

interface GigabitEthernet1/0/25
 description inside network
 no switchport
 ip address 10.150.252.6 255.255.255.252 ip summary-address eigrp 1
10.150.0.0 255.255.0.0 5 ip access-group outbound in !
interface GigabitEthernet1/0/26
 description inside network
 no switchport
 ip address 10.150.252.10 255.255.255.252 ip summary-address eigrp 1
10.150.0.0 255.255.0.0 5 ip access-group outbound in
!
interface GigabitEthernet1/0/27
 description outside network
 no switchport
 no ip address
 channel-group 1 mode desirable
!
interface GigabitEthernet1/0/28
 description outside network
 no switchport
 no ip address
 channel-group 1 mode desirable

ip access-list extended inbound
 permit ospf any any
 permit icmp any any
 evaluate tcptraffic

ip access-list extended outbound
 permit tcp any any reflect tcptraffic

Thanks!

Rik

• Next message: anthony.sequeira@thomson.com: "CCIE Recertification Question of the Week - NOV0306"
• Previous message: istong@stong.org: "Re: Privilege level"
• Maybe in reply to: Rik Guyler: "Reflexive ACL on 3750 switch"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART