[[nsp] ACLs on 2948G-L3]

Dmitri Kalintsev dek at hades.uz
Mon Jun 2 10:02:29 EDT 2003 

This looks like the old problem there was with netflow enabled (if you have
netflow enabled on the interface and change/apply access list to it, the
packets belonging to the active flows will get through until flows expire).
I don't have a bugid, sorry.

On Fri, May 30, 2003 at 12:26:09PM -0400, Joshua Sahala wrote:
> i have run into something similar on a 7513 (12.2(15)T) - the acl would
> permit/deny random traffic (blocking things that were permitted, allowing
> what wasn't) - BUT, if i added a log statment to most (all) of the
> entries, suddenly, it worked.  the counters worked, the entries matched
> the right packets, etc (of course the side effect was that 90%+ of the
> traffic was logged). i was unable to find a bug report, and my attempted
> debugs yielded nothing, so i ended up taking the acl down (security, what
> security)
> 
> /joshua
> 
> Gert Doering <gert at greenie.muc.de> wrote:
> > Hi,
> > 
> > I always knew that the Catalyst 2948G-L3 is a piece of junk, but today we
> > had a new and exciting effect: ACLs only work "sometimes".
> > 
> > I have an ACL, incoming on the Gig50 interface, that has a 
> > 
> >   deny ip any host <somehost>
> > 
> > as the very first statement.  NO permit before that.
> > 
> > The host is on a routed vlan interface (bvi40).
> > 
> > The deny works for "traceroute", but "ping" or "telnet" *do* get through
> > just fine to the machine, as soon as it's in the CEF adjacency cache.  
> > Switching off CEF doesn't work ("not supported on this hardware"), of
> > course.
> > 
> > We have now moved the ACL to the other end of the GigE line, but I don't
> > want to have it there (due to maintenance reasons, and who has access to
> > which part of the infrastructure).
> > 
> > Now the interesting question: is something "stuck" in the 2948G-L3, and
> > chances are good that it will be back to working after a reload, or is
> > it a known effect that ACLs just don't work properly?
> > 
> > IOS is cat2948g-in-mz.120-18.W5.22b.bin (which is the most recent version,
> > as far as I know).
> > 
> > gert
> > 
> > -- 
> > USENET is *not* the non-clickable part of WWW!
> >                                                           
> //www.muc.de/~gert/
> > Gert Doering - Munich, Germany                            
> gert at greenie.muc.de
> > fax: +49-89-35655025                       
> gert.doering at physik.tu-muenchen.de
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> 
> 
> "Walk with me through the Universe,
>  And along the way see how all of us are Connected.
>  Feast the eyes of your Soul,
>  On the Love that abounds.
>  In all places at once, seemingly endless,
>  Like your own existence."
>      - Stephen Hawking -
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
---end quoted text---

-- 
D.K.

More information about the cisco-nsp mailing list