[c-nsp] Strange SSH lag with ACL applied
Andrew Hoyos
ahoyos at xiocom.com
Wed Jan 6 22:15:34 EST 2010
>From Host A, is traffic allowed to your DNS servers in your ACL?
If not, the delay might be a reverse DNS lookup timing out.
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Andy Saykao
> Sent: Wednesday, January 06, 2010 7:03 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Strange SSH lag with ACL applied
>
> Hi All,
>
> I have what seems like a trivial problem but can't figure out what's
> causing it.
>
> I am trying to SSH from Host A (210.15.210.x) to Host B (203.12.53.x).
> Host B is in VLAN2 and there's an ACL on VLAN2 that denies external IP's
> from accessing it.
>
> What I'm finding is that when I apply the ACL (VLAN2-FILTER-OUT ) to
> VLAN2, it takes a very long time for the SSH login promtp to appear. If
> I remove the ACL on VLAN2, the SSH prompt is instantaneous. What's going
> on with my ACL??? Why the lag for the SSH prompt to appear?
>
> interface Vlan2
> ip address 203.12.53.aaa 255.255.255.224
> ip access-group VLAN2-FILTER-OUT out
> no ip redirects
> no ip mroute-cache
> ip ospf priority 15
> load-interval 30
> tag-switching ip
> !
> ip access-list extended VLAN1-FILTER-OUT
> permit ip host 203.10.110.x host 203.12.53.x
> permit ip host 203.10.110.y host 203.12.53.x
> permit ip host 203.10.110.z host 203.12.53.x
> permit ip 172.16.50.0 0.0.0.255 host 203.12.53.x
> permit ip 172.16.51.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.103.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.101.0 0.0.0.255 host 203.12.53.x
> permit ip 210.15.210.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.96.0 0.0.0.255 host 203.12.53.x
> permit ip 203.17.102.0 0.0.0.255 host 203.12.53.x
> permit ip 172.16.9.0 0.0.0.255 host 203.12.53.x
> deny ip any host 203.12.53.x
> permit ip any any
>
>
> Interestingly enough when I "permit ip any" to access Host B as the very
> first line in the ACL, the SSH prompt is instantaneous.
>
> permit ip any host 203.12.53.x log
>
> I even tried permiting Host A as the very first line in the ACL like so,
> but no joy.
>
> permit ip host 210.15.210.x host 203.12.53.x log
>
> Any ideas???
>
> Thanks.
>
> Andy
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list