I have a 3660 at the central office and a 1750 at a branch office. These two are connected by a leased line with ISDN back-up. 1750 is configured to dial-in to the central office(3660)when the leased line goes down(backup interface bri configured on the serial interface). I have a dialer list pointing to an access list. The configuration is:
access-list 101 deny icmp any host x.x.x.x
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any range 16384 32767
access-list 101 deny tcp any any eq 1720
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101.
x.x.x.x is a server running HP Openview to monitor the link status.
The problem is that the remote router dials in the moment leased line goes down. Sh dialer on the remote router shows the dial reason as d=x.x.x.x(HP Openview server address) and a debug ip packet detail shows only ICMP type 11, Code 0 and occasionally udp port 161 packets. Idle time-out timer gets reset continously even though I have explicitly put an access list to isolate these traffic types as NOT interesting.
IOS version on 1750 is 12.1(5) and 3660 has 12.1(3a).
what about "access-list 101 deny ip host x.x.x.x any"
This will deny all ip from host x.x.x.x. Obviously this host is generating traffic that is bringing up the line. Remember that once the line is up all traffic will flow so if openview needs to access anything on the other side of the BRI0 link it will be able to. Also "debug ip packet 101" will tell you what packets matches access list 101(and causes dialing). Also you may need to use:
access-list 101 deny tcp any any eq 161 log
access-list 101 deny tcp any any eq 162 log
access-list 101 deny udp any any eq snmp log
access-list 101 deny udp any any eq snmptrap log
The debug ip packet 101 will tell you whats going on. My guess would be that something such as HP Openview polling or discovery is getting through your lists and making it to "access-list 101 permit ip any any" causing the dial and then the reset of the idle timer. HTH
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...