Hey all - so I ran into a bit of weirdness yesterday with an ACL applied outbound on a VLAN interface on my core 5412Rzl2. The problem was that our DCs were unable to sync their time with our NTP servers. The DCs live in different subnets than the NTP servers. The problem turned out to be with the ACL applied outbound to the VLAN that the NTP servers reside in. However, that same ACL had permits allowing the DCs to the entire subnet for ip. There is also another permit allowing UDP traffic from our internal networks into the subnet where the NTP servers live. There are no rules that would block this traffic before the allows in the ACL that I can see.
Removing the ACL from the VLAN interface resolved the issue, but of course that wasn't a true fix for the situation. I ended up having to add specific permits from the DCs to the NTP servers for udp/123 before the DCs could sync their time with the NTP servers. Given the other ACEs already in place I am not sure why this was necessary.
Below is the relevant portion of the outbound ACL in question. IPs have been changed to santize the ACL for a public forum. Also, a couple SNMP allow rules have been omitted for brevity. The ACL is actually much longer than what is presented here, but the rest isn't needed for troubleshooting this issue. Please note: This is the ACL after the specific NTP allows have been added.
remark "deny WiFi networks"
deny ip 10.100.0.0 0.0.31.255 192.168.246.0 0.0.0.255
deny ip 10.103.0.0 0.0.31.255 192.168.246.0 0.0.0.255
remark "deny ping to broadcast"
deny icmp 0.0.0.0 255.255.255.255 192.168.246.255 0.0.0.0 log
remark "allow ping from internal networks"
permit icmp 10.0.0.0 0.255.255.255 192.168.246.0 0.0.0.255
permit icmp 192.168.240.0 0.0.7.255 192.168.246.0 0.0.0.255
permit icmp 192.168.248.0 0.0.0.255 192.168.246.0 0.0.0.255
remark "allow NTP from DCs to NTP servers"
permit udp 192.168.240.15 0.0.0.0 192.168.246.50 0.0.0.0 eq 123
permit udp 192.168.240.15 0.0.0.0 192.168.246.101 0.0.0.0 eq 123
permit udp 192.168.240.15 0.0.0.0 192.168.246.130 0.0.0.0 eq 123
permit udp 192.168.240.16 0.0.0.0 192.168.246.50 0.0.0.0 eq 123
permit udp 192.168.240.16 0.0.0.0 192.168.246.101 0.0.0.0 eq 123
permit udp 192.168.240.16 0.0.0.0 192.168.246.130 0.0.0.0 eq 123
permit udp 192.168.240.17 0.0.0.0 192.168.246.50 0.0.0.0 eq 123
permit udp 192.168.240.17 0.0.0.0 192.168.246.101 0.0.0.0 eq 123
permit udp 192.168.240.17 0.0.0.0 192.168.246.130 0.0.0.0 eq 123
permit udp 192.168.248.12 0.0.0.0 192.168.246.50 0.0.0.0 eq 123
permit udp 192.168.248.12 0.0.0.0 192.168.246.101 0.0.0.0 eq 123
permit udp 192.168.248.12 0.0.0.0 192.168.246.130 0.0.0.0 eq 123
permit udp 192.168.248.13 0.0.0.0 192.168.246.50 0.0.0.0 eq 123
permit udp 192.168.248.13 0.0.0.0 192.168.246.101 0.0.0.0 eq 123
permit udp 192.168.248.13 0.0.0.0 192.168.246.130 0.0.0.0 eq 123
permit udp 192.168.248.14 0.0.0.0 192.168.246.50 0.0.0.0 eq 123
permit udp 192.168.248.14 0.0.0.0 192.168.246.101 0.0.0.0 eq 123
permit udp 192.168.248.14 0.0.0.0 192.168.246.130 0.0.0.0 eq 123
remark "allow all traffic from Domain Controllers"
permit ip 192.168.240.15 0.0.0.0 192.168.246.0 0.0.0.255
permit ip 192.168.240.16 0.0.0.0 192.168.246.0 0.0.0.255
permit ip 192.168.240.17 0.0.0.0 192.168.246.0 0.0.0.255
permit ip 192.168.248.12 0.0.0.0 192.168.246.0 0.0.0.255
permit ip 192.168.248.13 0.0.0.0 192.168.246.0 0.0.0.255
permit ip 192.168.248.14 0.0.0.0 192.168.246.0 0.0.0.255
remark "Allow DMZ to Server Subnet unrestricted"
permit ip 192.168.241.0 0.0.0.127 192.168.246.0 0.0.0.255 log
remark "allow SNMP on Netsight-Server for management network"
permit udp 172.18.0.0 0.0.255.255 192.168.246.150 0.0.0.0 range 161 162
remark "block SNMP from other networks"
deny udp 0.0.0.0 255.255.255.255 192.168.246.0 0.0.0.255 range 161 162 log
remark "allow UDP from internal networks"
permit udp 10.0.0.0 0.255.255.255 192.168.246.0 0.0.0.255
permit udp 192.168.240.0 0.0.7.255 192.168.246.0 0.0.0.255
permit udp 192.168.248.0 0.0.0.255 192.168.246.0 0.0.0.255
permit udp 172.18.0.0 0.0.255.255 192.168.246.0 0.0.0.255
The 5412Rzl2 is running KB.16.08.0001. Thanks in advance for any feedback.