telnet is not working in both core switches when ACL applied

Unanswered Question
Jun 9th, 2012

Hi

I have seen some strange issue if anyone can have that answer ..

Problem Description:

We have two core switches in our network and number of vlan are created.TIll now no ACL has been applied on the interface vlan and i am doing the telnet ,one of the server at some other remote location like...

telnet 172.43.16.2 3389 source-interface vlan 10

i am able to do the telnet from both core switches when ACL is not applied on vlan 10 or some other vlan  however the same is not working as soon as i apply the ACL on vlan 10 .I am able to the telnet only from one of  core switch irrespective of HSRP state and STP priority.

However telnet is working from other switch when i shut the interface vlan from the switch where telnet was working.Operationlly there is no issue with the network.

I have tried with number of core switches at other locations including nexus and with number of servers/ports/vlans i am experiencing the same result.is this the expected beheiour ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
gupta.puneet Sat, 06/09/2012 - 11:35

Hi Natrajan

I can share the configuration but that configuration file is very large. just to correct myself everything is working fine at end user but seeing strange issue at core switches console.When i apply the ACL on any inteface vlan and try to telnet any server with any specfic port ,able to do that with one core switch only and by other it is not happening.

We have many sites and tested with 6509 and nexus core switches  and finding the result.So don't think so related to hardware or configuration issue.For examle we are using in this fashion and applying the acl on vlans.

ip access-list extended WiFi

deny   tcp 172.19.116.0 0.0.0.255 172.19.109.0 0.0.0.255 eq 3389

deny   tcp 172.19.116.0 0.0.0.255 172.16.2.0 0.0.0.255 eq 3389

deny   tcp 172.19.116.0 0.0.0.255 172.18.2.0 0.0.0.255 eq 3389

deny   tcp 172.19.116.0 0.0.0.255 172.24.2.0 0.0.0.255 eq 3389

deny   tcp 172.19.116.0 0.0.0.255 172.19.2.0 0.0.0.255 eq 3389

deny   tcp 172.19.116.0 0.0.0.255 172.17.2.0 0.0.0.255 eq 3389

deny   tcp 172.19.116.0 0.0.0.255 172.27.2.0 0.0.0.255 eq 3389

deny   tcp 172.19.116.0 0.0.0.255 172.28.2.0 0.0.0.255 eq 3389

deny   tcp 172.19.116.0 0.0.0.255 172.22.2.0 0.0.0.255 eq 3389

deny   tcp 172.19.116.0 0.0.0.255 172.16.65.0 0.0.0.255 eq 3389

deny   tcp 172.19.116.0 0.0.0.255 172.16.70.0 0.0.0.255 eq 3389

permit ip 172.19.116.0 0.0.0.255 172.19.116.0 0.0.0.255

permit ip 172.19.116.0 0.0.0.255 172.18.2.0 0.0.0.255

permit ip 172.19.116.0 0.0.0.255 host 172.26.1.29

permit ip 172.19.116.0 0.0.0.255 172.16.2.0 0.0.0.255

and if try to telnet any server like from core switches console

telnet 172.18.2.131 3389 source-interfcae vlan 10

telnet is happenig only for one core switch not for other irrespective of HSRP state and STP.

Actions

Login or Register to take actions

This Discussion

Posted June 9, 2012 at 9:28 AM
Stats:
Replies:2 Avg. Rating:
Views:268 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,155
3 7,745
4 7,088
5 6,747
Rank Username Points
135
83
80
69
38