[nsp] policy-map acl leaking?
Marc Xander Makkes
xander at kr85.org.org
Mon Jul 7 18:18:25 EDT 2003
On Mon, Jul 07, 2003 at 10:46:10AM +0200, Tomas Daniska wrote:
> hey there,
>
>
> i'm using nbar for preventing some http attacks (some match protocol,
> set dscp 1 and a policy route-map on the interface matching this dscp
> and forwarding to null0)
>
> kind of
>
> !
> policy-map mark-hacks
> class <whatever>
> set ip dscp 1
> !
> route-map Inet-in permit 10
> match ip address dscp1
> set interface Null0
> !
> interface FastEthernet0/0.104
> service-policy input mark-hacks
> ip policy route-map Inet-in
> !
>
>
> now with acl dscp1 of
>
> gw#sh ip access-lists dscp1
> Extended IP access list dscp1
> 10 permit ip any any dscp 1 (xxxx matches)
> gw#
>
> everything works nice and traffic is null-routed unless i start logging
> within the acl:
>
> gw#sh ip access-lists dscp1
> Extended IP access list dscp1
> 10 permit ip any any dscp 1 log-input (xxxx matches)
> gw#
>
> the router logs as it should
> .Jul 7 10:35:45.498 METDST: %SEC-6-IPACCESSLOGP: list dscp1 permitted
> tcp X.X.X.X(0) (FastEthernet0/0.104 ) -> Y.Y.Y.Y(0), 1 packet
>
>
> but the traffic now safely reaches the server.
>
>
> the box is a 3660 at 12.3(1a), running cef + netflow
>
>
>
> am i wrong or do i have to file a bug again?
Guess what :-) The bug farm at cisco is getting bigger and bigger by the day...
Yours,
-Marc
More information about the cisco-nsp
mailing list