[nsp] Filter-Id for AS5300

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Fri Aug 1 13:23:27 EDT 2003 

Hi,

>    After comparing this, I found out that access list are NOT applied
> to virtual-access interfaces, even though it says in the "sh ip int"
> output (on 12.3(1a)):  
> 
>   Outgoing access list is f20po, default is not set
>   Inbound  access list is f20pi, default is not set
> 
>    I switched back to 12.2(8)T and filters work. We are using Radius
> code 11 (Filter-ID). We are using this for VPDN (L2TP). 

Hmm, you are not trying to filter VPDN/L2TP users on the LAC, aren't
you? There is no vaccess interface on the LAC for the user as we don't
terminate the PPP connection, so you're probably talkin about a locally
terminated ppp user?!

Just checked with 12.3(1a) on an AS5300: per-user ACLs are correctly
applied and enforced on a vaccess. What makes you think they are not
applied/enforced?

See below..

	oli


dialin1 Password = "test"
        Service-Type=Framed-User
        Framed-Protocol = PPP,
        Framed-IP-Address="5.5.5.5",
        Filter-Id="aclin.in",
        Filter-Id="aclout.out",
        Cisco-avpair="lcp:timeout=60"

AS5300B#sh ver | i IOS
IOS (tm) 5300 Software (C5300-IS-M), Version 12.3(1a), RELEASE SOFTWARE
(fc1)
AS5300B#sh ip int vi2 | i access list
  Outgoing access list is aclout, default is not set
  Inbound  access list is aclin, default is not set
AS5300B#sh access-l
Extended IP access list aclin
    10 deny ip any any (4 matches)
Extended IP access list aclout
    10 deny ip any any
AS5300B#
*Feb  5 23:02:31.611: ICMP: dst (20.20.20.20) administratively
prohibited unreachable sent to 5.5.5.5
*Feb  5 23:02:32.123: ICMP: dst (20.20.20.20) administratively
prohibited unreachable sent to 5.5.5.5
*Feb  5 23:02:34.619: ICMP: dst (20.20.20.20) administratively
prohibited unreachable sent to 5.5.5.5
AS5300B#sh access-l
Extended IP access list aclin
    10 deny ip any any (15 matches)
Extended IP access list aclout
    10 deny ip any any
AS5300B#
*Feb  5 23:02:50.019: ICMP: dst (5.5.5.5) administratively prohibited
unreachable sent to 10.0.0.8
*Feb  5 23:02:51.011: ICMP: dst (5.5.5.5) administratively prohibited
unreachable sent to 10.0.0.8
*Feb  5 23:02:52.011: ICMP: dst (5.5.5.5) administratively prohibited
unreachable sent to 10.0.0.8
*Feb  5 23:02:53.011: ICMP: dst (5.5.5.5) administratively prohibited
unreachable sent to 10.0.0.8
*Feb  5 23:02:54.011: ICMP: dst (5.5.5.5) administratively prohibited
unreachable sent to 10.0.0.8
*Feb  5 23:02:55.011: ICMP: dst (5.5.5.5) administratively prohibited
unreachable sent to 10.0.0.8
*Feb  5 23:02:56.011: ICMP: dst (5.5.5.5) administratively prohibited
unreachable sent to 10.0.0.8
AS5300B#sh access-l
Extended IP access list aclin
    10 deny ip any any (15 matches)
Extended IP access list aclout
    10 deny ip any any (14 matches)
AS5300B#



> 
> -----Original Message-----
> From: Mark Tinka [mailto:mtinka at africaonline.co.ug]
> Sent: Friday, August 01, 2003 8:48 AM
> To: 'Oliver Boehmer (oboehmer)'; Srdjan Simic
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [nsp] Filter-Id for AS5300
> 
> 
> Oliver Boehmer (oboehmer) wrote:
> > Hi,
> > 
> > I think we are talking about two different problems, even though
> > they look similar: 
> > 
> > > Srdjan Simic wrote:
> > > >    We had the same problem. sh run did not show acl, but sh
> > > > access-list did, and besides the name there was "(per-user)".
> > > > This was with IOS 12.2(8)T and C3640. We were in big trouble,
> > > > because we could not save the config. After first lookups, it
> > > > seems that, when the router boots, everything is ok. When the
> > > > first user comes and requests a filter set, that filter set is
> > > > removed from running config. We switched to other IOS and that
> > > > solved the problem. Currently we are on 12.3(1a) but we also
> > > > tried 12.2(17a) and 
> > > > 12.2(7a) .and
> > 
> > This problem has been described in CSCdx52334 (and has been fixed in
> > 12.2(13)T/12.2(13) and other releases). Every per-user ACL
> > effectivly turned on the "per-user" flag on existing ACLs
> > configured on the box and thus prevented them from being saved
> > (per-user ACLs are dynamic and are never saved). 
> > 
> > 
> > > So you say that after a reboot [I haven't yet tried], the
> > > configuration remains intact [albeit invisible], and that the
> > > named access list will work even when it doesn't show up in the
> > > running configuration.
> > 
> > No, I doubt this, unless the ACL is present in the startup-config
> > (which it isn't if you did a "write" after the box booted).
> > 
> > > Well, I am running 12.3(1a) too, but I am exhibiting this
> > > problem. I never tried using this named access list on my
> > > previous IOS, so I can't really say whether the problem is with
> > > 12.3. 
> > 
> > The behaviour you're seeing with 12.3(1a) is definitly a bug and
> > needs to be fixed. It could be a race condition, maybe some user's
> > profile referenced the ACL before or while (?) it was being defined.
> > I also saw this problem with 12.2(2)XB11, but only on one of 100+
> > routers using the same config.
> > 
> > Can you please try the following: Use "copy tftp startup-config" to
> > write a complete config (including the ACL) directly into the NVRAM
> > and do a reload. The system will then come up with the ACL, and the
> > problem should be solved. If not, it would be very interesting to
> > see what triggered the problem, but might be difficult to find out.
> > I'll try to repro this internally..
> > 
> > Tx,
> > 	oli
> 
> Hi Oli. Thanks for your response.
> 
> I did as you suggested, and copied the configuration from my TFTP
> server straight into NVRAM. I reloaded, and it works fine. The
> configuration is present in the running-config file, and the
> (per-user) flag is no longer present on the show access-list command:
> 
> AS5300#sh access-lists emailonly
> Extended IP access list emailonly
>     10 permit tcp any any eq smtp (14 matches)
>     20 permit tcp any any eq pop3 (1207 matches)
>     30 permit tcp any any eq domain
>     40 permit udp any any eq domain (54 matches)
>     50 permit tcp any host x.x.x.x eq www
>     60 permit tcp any host x.x.x.x eq www
>     70 permit tcp any host x.x.x.x eq www
>     80 permit tcp any host x.x.x.x eq 443
>     90 permit icmp any any echo (2 matches)
>     100 permit icmp any any echo-reply
>     110 permit tcp any eq smtp any
>     120 permit tcp any eq pop3 any
>     130 permit tcp host x.x.x.x eq www any
>     140 permit tcp host x.x.x.x eq www any
>     150 permit tcp host x.x.x.x eq www any
>     160 permit tcp host x.x.x.x eq 443 any
>     170 permit tcp any eq domain any
>     180 permit udp any eq domain any
>     190 deny ip any any (429 matches)
> AS5300#
> 
> Many thanks for this workaround.
> 
> Regards,
> 
> Mark Tinka - CCNA
> Network Engineer, Africa Online Uganda

More information about the cisco-nsp mailing list