[nsp] Filter-Id for AS5300

Dennis Peng dpeng at cisco.com
Thu Jul 31 11:06:37 EDT 2003


Oliver Boehmer (oboehmer) [oboehmer at cisco.com] wrote:
> All,
> 
> I was able to reproduce this internally and filed CSCeb79722 to have it
> fixed. It can be reproduced when the user logs in while the ACL does not
> (yet) exists. Subsequent creation of the ACL results in the ACL being
> listed as per-user.
> Tests with 12.3(3) suggest that this problem does not happen when
> Framed-Filter-Id attribte is used instead to reference the ACL.

12.3(1a) does not have the fix for CSCea30495 (per-user configuration
allows installation of non-existent ACL). This means that if a user
connects and their profile uses Filter-Id to reference a non-existent
ACL, that connection is still allowed to come up. This is wrong and
one side-effect of this is that if the ACL is configured while the
user is connected, it gets marked as per-user and doesn't show up in
the config.

In 12.3(3), this condition couldn't happen with the Filter-Id
attribute since the fix for CSCea30495 is there and the user would not
be able to connect if the ACL is not already defined on the
router. However, as you have seen, the same problem still exists if
you use "interface-config:ip access-group..."  syntax, but that is a
less severe problem.

Dennis

> 	oli
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list