From: gladston@br.ibm.com
Date: Wed Jul 27 2005 - 12:01:12 GMT-3
Would you believe this?
Vlan map is matching access-list 111.
These does not allow (wrongly) traceroute to 148.5.15.5
access-list 111 permit icmp any any
access-list 111 permit udp any any gt 34433
access-list 111 deny ip any any
R8#trace 148.5.15.5
Type escape sequence to abort.
Tracing the route to 148.5.15.5
1 * * *
2 * * *
3 * * *
Adding this make it works:
access-list 111 permit udp any gt 34433 a
R8#trace 148.5.15.5
Type escape sequence to abort.
Tracing the route to 148.5.15.5
1 148.5.26.2 4 msec 4 msec 4 msec
2 148.5.235.5 4 msec * 4 msec
It does not make sense. What I can think is that IOS is not considering the source UDP valid, although it could be any value with the acl 'access-list 111 permit udp any any gt 34433'
Debug shows that traceroute is using a source port that should pass the command 'access-list 111 permit udp any any gt 34433':
*Mar 1 02:57:39: IP: s=148.5.26.100 (local), d=148.5.15.5 (Ethernet0), len 28, sending
*Mar 1 02:57:39: UDP src=38582, dst=33435 *
I should not get surprised with IOS results anymore.
Sometimes the only way to find a problem is trying things that considers IOS is not working right.
Version is C3550-I5Q3L2-M, 12.1(20)EA1a
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3