[c-nsp] Strange SSH lag with ACL applied
Andy Saykao
andy.saykao at staff.netspace.net.au
Wed Jan 6 20:02:48 EST 2010
Hi All,
I have what seems like a trivial problem but can't figure out what's
causing it.
I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
from accessing it.
What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
VLAN2, it takes a very long time for the SSH login promtp to appear. If
I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
on with my ACL??? Why the lag for the SSH prompt to appear?
interface Vlan2
ip address 203.12.53.aaa 255.255.255.224
ip access-group VLAN2-FILTER-OUT out
no ip redirects
no ip mroute-cache
ip ospf priority 15
load-interval 30
tag-switching ip
!
ip access-list extended VLAN1-FILTER-OUT
permit ip host 203.10.110.x host 203.12.53.x
permit ip host 203.10.110.y host 203.12.53.x
permit ip host 203.10.110.z host 203.12.53.x
permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
deny ip any host 203.12.53.x
permit ip any any
Interestingly enough when I "permit ip any" to access Host B as the very
first line in the ACL, the SSH prompt is instantaneous.
permit ip any host 203.12.53.x log
I even tried permiting Host A as the very first line in the ACL like so,
but no joy.
permit ip host 210.15.210.x host 203.12.53.x log
Any ideas???
Thanks.
Andy
More information about the cisco-nsp
mailing list