[nsp] policy-map acl leaking?
Tomas Daniska
tomas at tronet.com
Mon Jul 7 11:46:10 EDT 2003
hey there,
i'm using nbar for preventing some http attacks (some match protocol,
set dscp 1 and a policy route-map on the interface matching this dscp
and forwarding to null0)
kind of
!
policy-map mark-hacks
class <whatever>
set ip dscp 1
!
route-map Inet-in permit 10
match ip address dscp1
set interface Null0
!
interface FastEthernet0/0.104
service-policy input mark-hacks
ip policy route-map Inet-in
!
now with acl dscp1 of
gw#sh ip access-lists dscp1
Extended IP access list dscp1
10 permit ip any any dscp 1 (xxxx matches)
gw#
everything works nice and traffic is null-routed unless i start logging
within the acl:
gw#sh ip access-lists dscp1
Extended IP access list dscp1
10 permit ip any any dscp 1 log-input (xxxx matches)
gw#
the router logs as it should
.Jul 7 10:35:45.498 METDST: %SEC-6-IPACCESSLOGP: list dscp1 permitted
tcp X.X.X.X(0) (FastEthernet0/0.104 ) -> Y.Y.Y.Y(0), 1 packet
but the traffic now safely reaches the server.
the box is a 3660 at 12.3(1a), running cef + netflow
am i wrong or do i have to file a bug again?
--
Tomas Daniska
systems engineer
Tronet Computer Networks
Plynarenska 5, 829 75 Bratislava, Slovakia
tel: +421 2 58224111, fax: +421 2 58224199
A transistor protected by a fast-acting fuse will protect the fuse by
blowing first.
More information about the cisco-nsp
mailing list