06-09-2012 09:28 AM - edited 03-07-2019 07:09 AM
Hi
I have seen some strange issue if anyone can have that answer ..
Problem Description:
We have two core switches in our network and number of vlan are created.TIll now no ACL has been applied on the interface vlan and i am doing the telnet ,one of the server at some other remote location like...
telnet 172.43.16.2 3389 source-interface vlan 10
i am able to do the telnet from both core switches when ACL is not applied on vlan 10 or some other vlan however the same is not working as soon as i apply the ACL on vlan 10 .I am able to the telnet only from one of core switch irrespective of HSRP state and STP priority.
However telnet is working from other switch when i shut the interface vlan from the switch where telnet was working.Operationlly there is no issue with the network.
I have tried with number of core switches at other locations including nexus and with number of servers/ports/vlans i am experiencing the same result.is this the expected beheiour ?
06-09-2012 10:48 AM
can u paste the configs of the switches????
06-09-2012 11:35 AM
Hi Natrajan
I can share the configuration but that configuration file is very large. just to correct myself everything is working fine at end user but seeing strange issue at core switches console.When i apply the ACL on any inteface vlan and try to telnet any server with any specfic port ,able to do that with one core switch only and by other it is not happening.
We have many sites and tested with 6509 and nexus core switches and finding the result.So don't think so related to hardware or configuration issue.For examle we are using in this fashion and applying the acl on vlans.
ip access-list extended WiFi
deny tcp 172.19.116.0 0.0.0.255 172.19.109.0 0.0.0.255 eq 3389
deny tcp 172.19.116.0 0.0.0.255 172.16.2.0 0.0.0.255 eq 3389
deny tcp 172.19.116.0 0.0.0.255 172.18.2.0 0.0.0.255 eq 3389
deny tcp 172.19.116.0 0.0.0.255 172.24.2.0 0.0.0.255 eq 3389
deny tcp 172.19.116.0 0.0.0.255 172.19.2.0 0.0.0.255 eq 3389
deny tcp 172.19.116.0 0.0.0.255 172.17.2.0 0.0.0.255 eq 3389
deny tcp 172.19.116.0 0.0.0.255 172.27.2.0 0.0.0.255 eq 3389
deny tcp 172.19.116.0 0.0.0.255 172.28.2.0 0.0.0.255 eq 3389
deny tcp 172.19.116.0 0.0.0.255 172.22.2.0 0.0.0.255 eq 3389
deny tcp 172.19.116.0 0.0.0.255 172.16.65.0 0.0.0.255 eq 3389
deny tcp 172.19.116.0 0.0.0.255 172.16.70.0 0.0.0.255 eq 3389
permit ip 172.19.116.0 0.0.0.255 172.19.116.0 0.0.0.255
permit ip 172.19.116.0 0.0.0.255 172.18.2.0 0.0.0.255
permit ip 172.19.116.0 0.0.0.255 host 172.26.1.29
permit ip 172.19.116.0 0.0.0.255 172.16.2.0 0.0.0.255
and if try to telnet any server like from core switches console
telnet 172.18.2.131 3389 source-interfcae vlan 10
telnet is happenig only for one core switch not for other irrespective of HSRP state and STP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: