[c-nsp] FWSM breaks router ACL
Jeff Fitzwater
jfitz at Princeton.EDU
Tue Sep 30 09:41:21 EDT 2008
I have FWSM running 4.0(2) in 6509 with sup 720 CXL running
12.2(33)SXH2a
The FWSM runs in transparent mode and appears between our ISPs and
edge router. The FWSM has 3 BVIs , one for each ISP.
The same router connects to 3 downstream routers via 3 different gig
interfaces.
With the FWSM OFFLINE the router connects directly to the ISP via 3
vlans 3553, 4000, 4001 via 3 corresponding L2 ports with same VLAN.
The FWSM has its OUTSIDE interfaces assigned to VLANS 4050, 4051, 4052
and INSIDE to the 3553, 4000,4001
When the FWSM is ONLINE the L2 ports get changed to VLANS 4050, 4051,
4052.
The VLANS with the ACLs that connect to the inside routers, are
assigned vlans 268, 524, 525
PROBLEM
The three SVI interfaces that connect to inside routers have outbound
ACLs which no longer work (pass everything) as long as FWSM is
configured ONLINE .
I have the feeling it is related to the CEF not having the correct
info since the packets are arriving on vlan 4050,4051,4052 but they
still think they are on vlans 3553, 4000 and 4001. I believe the
ACLs get info from CEF to do packet matching and now they no longer
match.
Has anyone seen this problem or know of fix?
I have ticket open with CISCO support.
Thanks for any help.
Jeff Fitzwater
OIT Network Systems
Princeton University
More information about the cisco-nsp
mailing list