- Bronze, 100 points or more
I have the problem of the access-list on Catalyst 3750 12.2(35)SE5.
The problem is that implicit denied packets do not dropped but permitted.
Configured access-list statements are as follows,
ip address 172.29.175.1 255.255.255.0
ip access-group TESTACL in
ip access-list extended TESTACL
permit ip any 172.29.172.0 0.0.0.255
permit ip any 172.29.174.0 0.0.0.255
permit ip any 172.29.175.0 0.0.0.255
permit ip any 220.127.116.11 0.0.0.255
permit ip any 172.29.173.0 0.0.0.255
permit ip any 18.104.22.168 0.0.0.255
permit ip any 22.214.171.124 0.0.0.255
permit ip any 126.96.36.199 0.0.0.255
permit ip any 188.8.131.52 0.0.0.255
permit ip any 184.108.40.206 0.0.0.255
permit ip any 220.127.116.11 0.0.0.255
permit ip any 18.104.22.168 0.0.3.255
In this configuration, PCs are connecting Vlan 135 send ping to server on another Vlan.
The result of ping are as follows,
Case 1: ping from PC on Vlan 135 to another Vlan
From 172.29.175.84 to 22.214.171.124
ping is denied and result in ping is unreachable.
it is normal behavior, in other words, access-list works correctly.
Case 2: ping from PC on Vlan 135 to another Vlan
From 172.29.175.116 to 126.96.36.199
ping is permitted and result in ping is OK.
it is abnormal behavior, in other words, access-list works incorrectly.
I understand IOS applied "implicit deny all" at the end of ACL, so I do not need to configure it explicitly as "deny ip any any".
Do you have any idea to resolve this symptom ?
This symptom might be caused by the problem of TCAM ? If so, could you please let me know useful command for further investigation ?
Your information would be appreciated.