On Wed January 6 2010 19:02, Andy Saykao wrote: > Hi All, > > I have what seems like a trivial problem but can't figure out what's > causing it. > > I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x). > Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's > from accessing it. > > What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to > VLAN2, it takes a very long time for the SSH login promtp to appear. If > I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going > on with my ACL??? Why the lag for the SSH prompt to appear? > > interface Vlan2 > ip address 203.12.53.aaa 255.255.255.224 > ip access-group VLAN2-FILTER-OUT out > no ip redirects > no ip mroute-cache > ip ospf priority 15 > load-interval 30 > tag-switching ip > ! > ip access-list extended VLAN1-FILTER-OUT > permit ip host 203.10.110.x host 203.12.53.x > permit ip host 203.10.110.y host 203.12.53.x > permit ip host 203.10.110.z host 203.12.53.x > permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x > permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x > permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x > permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x > permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x > permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x > permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x > permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x > deny ip any host 203.12.53.x > permit ip any any > > > Interestingly enough when I "permit ip any" to access Host B as the very > first line in the ACL, the SSH prompt is instantaneous. > > permit ip any host 203.12.53.x log > > I even tried permiting Host A as the very first line in the ACL like so, > but no joy. > > permit ip host 210.15.210.x host 203.12.53.x log > > Any ideas??? > > Thanks. > > Andy
Possibly a "typo" but your ACL says it is named VLAN1-FILTER-OUT (note VLAN1) and you are applying an ACL named VLAN2-FILTER-OUT In your second try (permit ip host 210.15.210.x host 203.12.53.x log) what did the log entries say?? -- Larry Smith [email protected] _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
