04-06-2018 08:26 AM - edited 03-08-2019 02:33 PM
hi ..
i have L3 core switch with 5 no of vlan configured , with VTP mode server,
there 5 access switches connected to core with vtp client mode..
vlan 10 - 192.168.10.0/24 - management
vlan 20 - 192.168.20.0/24 - server
vlan 30 - 192.168.30.0/24 - data
vlan 40 - 192.168.40.0/24 - printer, other
vlan 50 - 192.168.50.0/24 - voice
all access switches are configured with management vlan 10 (192.168.10.x)
here the requirement is , if any one telnet to these mgmt IP , should be blocked except few IP and this shall happen at core switch level, dont want to apply the acl in all access switch under vty.
so , the acl configured below
ip access-list extended FEW
5 permit ip 192.168.20.0 0.0.0.31 192.168.10.0 0.0.0.255
10 permit ip host 192.168.30.10 192.168.10.0 0.0.0.255
int vlan 10
ip add 192.168.10.1 255.255.255.0
ip access-group FEW out
---------------------------
but not getting the required result, all mentioned IP above able to telnet?? So what is the reason?? how to slove it?? Thanks in advance.
04-06-2018 09:14 AM
What type of switch is the core and is the management VLAN the only IP interface on the access switches?
Thanks
04-06-2018 09:26 AM
hi,
Its 4500, ..yes access switch configured with only one ip under vlan 10
Thanks
04-06-2018 09:28 AM
What type supervisor and version of code?
04-06-2018 09:30 AM
hi Thanks...
its 8L-E sup.. not sure about version.
Is there any issue with acl?? or do you think any bug issue?
04-06-2018 09:45 AM
I don't see a problem with the ACL so I wouldn't rule out the possibility of a bug.
How about adding deny any any to the end of the ACL, perhaps with the log extension just to see what that does.
04-06-2018 09:49 AM
is there any possibility ? like extra space in named acl , which leads to this issue??
i dont see hit also
04-06-2018 09:57 AM
Not likely, if the syntax is wrong it won't accept the command.
Thinking a bug or possibly something in the system architecture. A CCO Case may be in order.
I don't have any 8-LEs on my network but will be turning one up next week so I'm curious and will be able to investigate further. Post the version of IOS if you can.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide