https://slinkov.ru/openforum/vsluhforumID6/725.html interface Ethernet0/2.7<br>vlan 216<br>nameif xxx-dc<br>security-level 100<br>ip address 172.17.4.1 255.255.255.248<br>object-group network xxx-distr<br>network-object 172.31.0.0 255.255.0.0<br><br>route xxx-dc 172.31.0.0 255.255.0.0 172.17.4.2 2<br><br>access-list acl-xxx-distr extended deny ip object-group xxx-distr any<br><br><br>access-group acl-xxx-distr in interface xxx-dc<br><br>Трафик ходит, хотя не должен. Почему?<br> https://slinkov.ru/openforum/vsluhforumID6/725.html#4 Mon, 06 May 2013 09:44:46 GMT <br>Phase: 1<br>Type: ROUTE-LOOKUP<br>Subtype: input<br>Result: ALLOW<br>Config:<br>Additional Information:<br>in 172.31.0.0 255.255.0.0 xxx-dc<br><br>Phase: 2<br>Type: ACCESS-LIST<br>Subtype:<br>Result: DROP<br>Config:<br>Implicit Rule<br>Additional Information:<br>Forward Flow based lookup yields rule:<br>in id=0xd839b0a8, priority=11, domain=permit, deny=true<br>hits=0, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0<br>src ip=0.0.0.0, mask=0.0.0.0, port=0<br>dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0<br><br>Result:<br>input-interface: xxx-dc<br>input-status: up<br>input-line-status: up<br>output-interface: xxx-dc<br>output-status: up<br>output-line-status: up<br>Action: drop<br>Drop-reason: (acl-drop) Flow is denied by configured rule<br> https://slinkov.ru/openforum/vsluhforumID6/725.html#3 Mon, 06 May 2013 09:44:25 GMT 1: 13:19:45.979227 802.1Q vlan#216 P0 172.31.1.18.60493 &gt; 172.27.0.10.445: P 3467662171:3467662415(244) ack 256553634 win 571<br>2: 13:19:45.982203 802.1Q vlan#216 P0 172.27.0.10.445 &gt; 172.31.1.18.60493: P 256553634:256553878(244) ack 3467662415 win 255<br>3: 13:19:45.983500 802.1Q vlan#216 P0 172.31.1.18.60493 &gt; 172.27.0.10.445: P 3467662415:3467662621(206) ack 256553878 win 570<br>4: 13:19:45.987162 802.1Q vlan#216 P0 172.27.0.10.445 &gt; 172.31.1.18.60493: . 256553878:256555258(1380) ack 3467662621 win 254<br>5: 13:19:45.987253 802.1Q vlan#216 P0 172.27.0.10.445 &gt; 172.31.1.18.60493: P 256555258:256556058(800) ack 3467662621 win 254<br>6: 13:19:45.987986 802.1Q vlan#216 P0 172.31.1.18.60493 &gt; 172.27.0.10.445: . ack 256556058 win 562<br>7: 13:19:45.988947 802.1Q vlan#216 P0 172.31.1.18.60493 &gt; 172.27.0.10.445: P 3467662621:3467662713(92) ack 256556058 win 562<br>8: 13:19:45.991464 802.1Q vlan#216 P0 172.27.0.10.445 &gt; 172.31.1.18.60493: P 256556058:256556186(128) ack 3467662713 win 254<br>9: 13:19:46.188115 802.1Q vlan#216 P0 1 https://slinkov.ru/openforum/vsluhforumID6/725.html#2 Mon, 06 May 2013 09:14:28 GMT &gt;[оверквотинг удален]<br>&gt;&gt; nameif xxx-dc <br>&gt;&gt; security-level 100 <br>&gt;&gt; ip address 172.17.4.1 255.255.255.248 <br>&gt;&gt; object-group network xxx-distr <br>&gt;&gt; network-object 172.31.0.0 255.255.0.0 <br>&gt;&gt; route xxx-dc 172.31.0.0 255.255.0.0 172.17.4.2 2 <br>&gt;&gt; access-list acl-xxx-distr extended deny ip object-group xxx-distr any <br>&gt;&gt; access-group acl-xxx-distr in interface xxx-dc <br>&gt;&gt; Трафик ходит, хотя не должен. Почему?<br>&gt; Откуда и куда ходит ваш трафик?<br><br>НА другие интерфейсы и сети.<br> https://slinkov.ru/openforum/vsluhforumID6/725.html#1 Tue, 30 Apr 2013 14:58:34 GMT &gt;[оверквотинг удален]<br>&gt; vlan 216 <br>&gt; nameif xxx-dc <br>&gt; security-level 100 <br>&gt; ip address 172.17.4.1 255.255.255.248 <br>&gt; object-group network xxx-distr <br>&gt; network-object 172.31.0.0 255.255.0.0 <br>&gt; route xxx-dc 172.31.0.0 255.255.0.0 172.17.4.2 2 <br>&gt; access-list acl-xxx-distr extended deny ip object-group xxx-distr any <br>&gt; access-group acl-xxx-distr in interface xxx-dc <br>&gt; Трафик ходит, хотя не должен. Почему?<br><br>Откуда и куда ходит ваш трафик?<br>