[nsp] 7600 and ACLs

Ash Garg ash@telstra.net
Wed, 6 Nov 2002 10:51:06 +1100 

Here are the relevant configs..

ip access-list extended news
 remark Access List for News server
 remark Allow peers to connect to transit
 permit tcp any host 203.50.4.226 eq nntp
 permit tcp any eq nntp host 203.50.4.226 gt 1023
 remark Allow customer to connect to reader
 permit tcp any host 203.50.4.223 eq nntp
 remark Allow Lonsdale News in to all
 permit tcp 203.50.2.80 0.0.0.15 any eq nntp
 permit tcp 203.50.2.80 0.0.0.15 any eq 433
 remark Allow access to assurance servers
 permit ip 203.50.0.0 0.0.0.255 any
 permit ip host 203.50.1.12 any
 permit ip host 203.50.2.12 any
 permit ip host 203.50.4.12 any
 permit tcp 203.50.0.0 0.0.0.255 any eq www
 remark Allow DNS responses in
 permit udp any eq domain any
 remark Allow NTP responses back in
 permit udp host 203.62.252.79 any eq ntp
 permit udp host 203.62.252.40 any eq ntp
 remark Allow ICMP in
 permit icmp host 203.36.174.3 any
 permit icmp 203.50.0.0 0.0.255.255 any
 permit icmp 203.14.0.0 0.0.15.255 any
 permit icmp 203.62.248.0 0.0.7.255 any
 permit tcp any any gt 1023 established
 deny   ip any any log

interface Vlan290
 description News Servers
 ip address 203.50.4.225 255.255.255.224
 ip access-group news out
end

interface FastEthernet4/17
 description ken-numberer.news
 no ip address
 switchport
 switchport access vlan 290
 switchport mode access
!
interface FastEthernet4/18
 description ken-numberer.news
 no ip address
 switchport
 switchport access vlan 290
 switchport mode access
!

------------

Typical TCP transfer


<<<<<<<<< log keyword remove and tcp session initiated...
10:33:52.671890 203.50.4.226.3404 > 213.91.4.139.80: S
2873515139:2873515139(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp
57666698 0> (DF)
10:33:55.871960 203.50.4.226.3404 > 213.91.4.139.80: S
2873515139:2873515139(0) win 65535 <mss 1460> (DF)
10:33:59.072008 203.50.4.226.3404 > 213.91.4.139.80: S
2873515139:2873515139(0) win 65535 <mss 1460> (DF)
10:34:02.272057 203.50.4.226.3404 > 213.91.4.139.80: S
2873515139:2873515139(0) win 65535 <mss 1460> (DF)
10:34:08.472162 203.50.4.226.3404 > 213.91.4.139.80: S
2873515139:2873515139(0) win 65535 <mss 1460> (DF)
10:34:20.672318 203.50.4.226.3404 > 213.91.4.139.80: S
2873515139:2873515139(0) win 65535 <mss 1460> (DF)
10:34:21.266450 213.91.4.139.80 > 203.50.4.226.3404: . ack 2873515140 win
65535 <nop,nop,timestamp 1086819022 57666
698> (DF)


<<<<<<<<<<<<<<< ACL rewritted to include log keyword & TCP proceeds okay.

10:34:31.836372 213.91.4.139.80 > 203.50.4.226.3404: S
2800829854:2800829854(0) ack 2873515140 win 65535 <mss 1460,
nop,wscale 1,nop,nop,timestamp 1086820101 57666698> (DF)
10:34:31.836440 203.50.4.226.3404 > 213.91.4.139.80: . ack 1 win 65535 (DF)
10:34:31.837739 203.50.4.226.3404 > 213.91.4.139.80: P 1:25(24) ack 1 win
65535 (DF)
10:34:32.316509 213.91.4.139.80 > 203.50.4.226.3404: . ack 25 win 33304
<nop,nop,timestamp 1086820149 57666698> (DF
)
10:34:32.316542 203.50.4.226.3404 > 213.91.4.139.80: P 25:106(81) ack 1 win
65535 (DF)
10:34:32.696980 213.91.4.139.80 > 203.50.4.226.3404: . 1:1449(1448) ack 106
win 33304 <nop,nop,timestamp 1086820186
 57666698> (DF)
10:34:32.706689 213.91.4.139.80 > 203.50.4.226.3404: . 1449:2897(1448) ack
106 win 33304 <nop,nop,timestamp 1086820
186 57666698> (DF)
10:34:32.706710 203.50.4.226.3404 > 213.91.4.139.80: . ack 2897 win 64252
(DF)
10:34:33.126739 213.91.4.139.80 > 203.50.4.226.3404: . 2897:4345(1448) ack
106 win 33304 <nop,nop,timestamp 1086820
224 57666698> (DF)
10:34:33.126760 203.50.4.226.3404 > 213.91.4.139.80: . ack 4345 win 64252
(DF)
10:34:33.136672 213.91.4.139.80 > 203.50.4.226.3404: . 4345:5793(1448) ack
106 win 33304 <nop,nop,timestamp 1086820
224 57666698> (DF)
10:34:33.136697 203.50.4.226.3404 > 213.91.4.139.80: . ack 5793 win 64252
(DF)
10:34:33.147262 213.91.4.139.80 > 203.50.4.226.3404: . 5793:7241(1448) ack
106 win 33304 <nop,nop,timestamp 1086820
225 57666698> (DF)

----------------------

The "show tcam counts" tells me that we aren't over utilizing any of the
resources.

#show tcam counts
           Used        Free        Percent Used       Reserved
           ----        ----        ------------       --------
 Labels:     11         501            2

ACL_TCAM
  Masks:    111        3985            2                     0
Entries:    273       32495            0                     0

QOS_TCAM
  Masks:      1        4095            0                     0
Entries:      8       32760            0                     0

    LOU:      1          63            1
  ANDOR:      1          15            6
  ORAND:      0          16            0
    ADJ:      0        1024            0

The TAC seem to be stumped as well. We have already swapped the sup
(including the PFC and MFSC) and the 48 port FastE with nill effect as
well...


Thanks,
Ash
                                           \\\|||///
                                          \\  ^ ^  //
                                           (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
Ash Garg                             5/490 Northbourne Ave
Network Specialist                   DICKSON 2602
Internet Network Development
Telstra

Email: <<mailto:Ash.Garg@telstra.net>>
BH:  +612 6208 1994
Mob: 0408 687 642
Fax: +612 6248 6165

The best way to publicize a governmental or political
action is to attempt to hide it. -Mark B. Cohen
----------------------------------------------------------

-----Original Message-----
From: cisco-nsp-admin@puck.nether.net
[mailto:cisco-nsp-admin@puck.nether.net]On Behalf Of Rubens Kuhl Jr.
Sent: Wednesday, 6 November 2002 9:43 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [nsp] 7600 and ACLs



Logged packets are passed to the MSFC which then process like a usual IOS
router... it seems ACLs aren't being correctly implanted on the Supervisor.

Relevant config files and some error messages might help us help you...

Rubens


----- Original Message -----
From: "Ash Garg" <ash@telstra.net>
To: <cisco-nsp@puck.nether.net>
Sent: Tuesday, November 05, 2002 8:22 PM
Subject: [nsp] 7600 and ACLs


| Has anyone had problems with acls applied to vlan interfaces on a 7600
| running Native IOS? We have tried two different IOSs: 12.1(8b)e9 &
| 12.1(11b)e7 with little difference.
|
| The problem we notice is that TCP SYN packets aren't passed thru without
the
| use of the "log" key word. When you put in the log keyword, the packets
pass
| thru the interface without a problem...
|
| Ash
|
|
|
|                                            \\\|||///
|                                           \\  ^ ^  //
|                                            (  6 6  )
| -----------------------------------------oOOo-(_)-oOOo---
| Ash Garg                             5/490 Northbourne Ave
| Network Specialist                   DICKSON 2602
| Internet Network Development
| Telstra
|
| Email: <<mailto:Ash.Garg@telstra.net>>
| BH:  +612 6208 1994
| Mob: 0408 687 642
| Fax: +612 6248 6165
|
| The best way to publicize a governmental or political
| action is to attempt to hide it. -Mark B. Cohen
| ----------------------------------------------------------
|
| _______________________________________________
| cisco-nsp mailing list  real_name)s@puck.nether.net
| http://puck.nether.net/mailman/listinfo/cisco-nsp
| archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/