[[nsp] ACLs on 2948G-L3]
Dmitri Kalintsev
dek at hades.uz
Mon Jun 2 10:02:29 EDT 2003
This looks like the old problem there was with netflow enabled (if you have
netflow enabled on the interface and change/apply access list to it, the
packets belonging to the active flows will get through until flows expire).
I don't have a bugid, sorry.
On Fri, May 30, 2003 at 12:26:09PM -0400, Joshua Sahala wrote:
> i have run into something similar on a 7513 (12.2(15)T) - the acl would
> permit/deny random traffic (blocking things that were permitted, allowing
> what wasn't) - BUT, if i added a log statment to most (all) of the
> entries, suddenly, it worked. the counters worked, the entries matched
> the right packets, etc (of course the side effect was that 90%+ of the
> traffic was logged). i was unable to find a bug report, and my attempted
> debugs yielded nothing, so i ended up taking the acl down (security, what
> security)
>
> /joshua
>
> Gert Doering <gert at greenie.muc.de> wrote:
> > Hi,
> >
> > I always knew that the Catalyst 2948G-L3 is a piece of junk, but today we
> > had a new and exciting effect: ACLs only work "sometimes".
> >
> > I have an ACL, incoming on the Gig50 interface, that has a
> >
> > deny ip any host <somehost>
> >
> > as the very first statement. NO permit before that.
> >
> > The host is on a routed vlan interface (bvi40).
> >
> > The deny works for "traceroute", but "ping" or "telnet" *do* get through
> > just fine to the machine, as soon as it's in the CEF adjacency cache.
> > Switching off CEF doesn't work ("not supported on this hardware"), of
> > course.
> >
> > We have now moved the ACL to the other end of the GigE line, but I don't
> > want to have it there (due to maintenance reasons, and who has access to
> > which part of the infrastructure).
> >
> > Now the interesting question: is something "stuck" in the 2948G-L3, and
> > chances are good that it will be back to working after a reload, or is
> > it a known effect that ACLs just don't work properly?
> >
> > IOS is cat2948g-in-mz.120-18.W5.22b.bin (which is the most recent version,
> > as far as I know).
> >
> > gert
> >
> > --
> > USENET is *not* the non-clickable part of WWW!
> >
> //www.muc.de/~gert/
> > Gert Doering - Munich, Germany
> gert at greenie.muc.de
> > fax: +49-89-35655025
> gert.doering at physik.tu-muenchen.de
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>
> "Walk with me through the Universe,
> And along the way see how all of us are Connected.
> Feast the eyes of your Soul,
> On the Love that abounds.
> In all places at once, seemingly endless,
> Like your own existence."
> - Stephen Hawking -
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
---end quoted text---
--
D.K.
More information about the cisco-nsp
mailing list