Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Trouble with ACLs with 2921 router running 15.2

I swapped out a 2811 router running 12.2 for a 2921 running 15.2.  I copied the cfg from the 2811 to the 2921 and all the interface and ACL cmds ported over just fine.  However, the outbound ACL doesn't seem to actually work properly as nothing can communicate thru the int unless I remove the ACL.   There does not seem to be any easily findable documentation on creating ACLs for 2921s running 15.2.  

Even this ACL:

interface GigabitEthernet0/2

description L3-ITS-P-EUC-BURNHAM

ip address 10.75.145.129 255.255.255.192

ip access-group ITS-P-EUC-BURNHAM-IN in

ip access-group ITS-P-EUC-BURNHAM-OUT out

Extended IP access list ITS-P-EUC-BURNHAM-OUT

    10 permit ip any any log

results in dropped pkts:

localhost:~ jabedan$ ping 10.75.145.130

PING 10.75.145.130 (10.75.145.130): 56 data bytes

36 bytes from s-burnham.r-burnham.umnet.umich.edu (207.75.152.74): Communication prohibited by filter

Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst

4  5  00 5400 a40a   0 0000  3b  01 063e 35.2.22.146  10.75.145.130

Remove the ACL and full communication resumes.

r-BURNHAM(config)#int g0/2

r-BURNHAM(config-if)#no ip access-group ITS-P-EUC-BURNHAM-OUT out

r-BURNHAM(config-if)#^Z

localhost:~ jabedan$ ping 10.75.145.130

PING 10.75.145.130 (10.75.145.130): 56 data bytes

64 bytes from 10.75.145.130: icmp_seq=0 ttl=250 time=145.823 ms

64 bytes from 10.75.145.130: icmp_seq=1 ttl=250 time=7.634 ms

64 bytes from 10.75.145.130: icmp_seq=2 ttl=250 time=7.687 ms

Does anyone know the differences in ACLs and ACL application between these 2 platforms/softwares?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Trouble with ACLs with 2921 router running 15.2

Jim

I don't think it's the platform, i think it's the IOS. For example from the 15.2(1)T release notes -

CSCtt19027

Symptoms: When ACL is applied to the serial interface or Gigabit interface, ping failure seen even though the permit statement is there.

Conditions: The symptom is observed when ACL is configured on the serial interface or Gigabit interface.

Workaround: Enable EPM by installing the security license.

Further Problem Description: This is seen with those images where EPM is not supported and because of that an EPM call always gives a return value as "deny" due to registry call

full bug details can be found here if you have access -

https://tools.cisco.com/bugsearch/bug/CSCtt19027

Jon

6 REPLIES
Purple

Trouble with ACLs with 2921 router running 15.2

Hi,

Did you try without the log keyword ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Trouble with ACLs with 2921 router running 15.2

yes I started out without the log keyword, tried it to see if I could learn anything but nothing is logged per sh log.   I have since removed it.

Hall of Fame Super Blue

Trouble with ACLs with 2921 router running 15.2

Jim

I don't think it's the platform, i think it's the IOS. For example from the 15.2(1)T release notes -

CSCtt19027

Symptoms: When ACL is applied to the serial interface or Gigabit interface, ping failure seen even though the permit statement is there.

Conditions: The symptom is observed when ACL is configured on the serial interface or Gigabit interface.

Workaround: Enable EPM by installing the security license.

Further Problem Description: This is seen with those images where EPM is not supported and because of that an EPM call always gives a return value as "deny" due to registry call

full bug details can be found here if you have access -

https://tools.cisco.com/bugsearch/bug/CSCtt19027

Jon

New Member

Trouble with ACLs with 2921 router running 15.2

Jon,   although I am currently testing just with ping, when I first tried the 2921, alot more than ping was not passing until I removed the ACL.  This looks very promising, I'm going to upgrade and go from there.   I'll post the results, it may be a few days as I need to schedule the outage.  Thx for the reply, Jim

New Member

Trouble with ACLs with 2921 router running 15.2

Upgrading to 15.2(4)M5 (Cisco preferred in 15.2 train for stability) fixed the problem.   ACLs now apply properly and block what they should be blocking.

Hall of Fame Super Blue

Trouble with ACLs with 2921 router running 15.2

Jim

Thanks for letting us know the solution as it may well help others with the same problem.

Jon

246
Views
5
Helpful
6
Replies