[nsp] extended ACLs on Cat4k/Sup III
Steve Francis
steve at expertcity.com
Fri Mar 12 17:43:46 EST 2004
Anyone got extended ACLs to work outbound on an interface on a Cat4k
with Sup III?
I'm running Version 12.1(19)EW1, and the outbound ACL's seem simply
broken. (These are router interface ACLs, not port or VACLs.)
FOr the acl:
Extended IP access list workstations-out
permit udp any eq bootps 10.0.0.0 0.255.255.3 eq bootps
permit udp any eq bootps any eq bootpc (5 matches)
permit udp 10.0.0.0 0.255.254.255 any eq netbios-ns (223 matches)
permit udp 10.0.0.0 0.255.254.255 any eq netbios-dgm (3 matches)
permit tcp 10.0.0.0 0.255.254.255 any range 135 139 (167 matches)
permit udp 10.0.0.0 0.255.254.255 any eq ntp (69 matches)
permit udp 10.4.0.0 0.0.255.255 any eq netbios-ns
permit udp 10.4.0.0 0.0.255.255 any eq netbios-dgm
permit udp 10.4.0.0 0.0.255.255 any eq ntp (2 matches)
permit tcp 10.4.0.0 0.0.255.255 any range 135 139 (256 matches)
deny tcp any any lt 1024 log (606 matches)
deny udp any any lt 1024 log (889 matches)
permit ip any any (2763541 matches)
I get logged messages like:
%SEC-6-IPACCESSLOGP: list workstations-out denied tcp
66.151.158.183(54840) -> 10.1.1.74(26255), 1 packet
Given that the only TCP deny clause is for packets with a destination
port of < 1024, this should not have been blocked.
Secondly, the source port of this packet was actually port 80, not 54840
that it logged.
I have a case open with TAC (who are trying to recreate in the lab), but
thought someone else must have tried to put ACLs on a Sup III before....
If so, what IOS? Named or numbered? Thx
More information about the cisco-nsp
mailing list