[nsp] ACLs on 2948G-L3

Gert Doering gert at greenie.muc.de
Fri May 30 19:12:04 EDT 2003


Hi,

I always knew that the Catalyst 2948G-L3 is a piece of junk, but today we
had a new and exciting effect: ACLs only work "sometimes".

I have an ACL, incoming on the Gig50 interface, that has a 

  deny ip any host <somehost>

as the very first statement.  NO permit before that.

The host is on a routed vlan interface (bvi40).

The deny works for "traceroute", but "ping" or "telnet" *do* get through
just fine to the machine, as soon as it's in the CEF adjacency cache.  
Switching off CEF doesn't work ("not supported on this hardware"), of
course.

We have now moved the ACL to the other end of the GigE line, but I don't
want to have it there (due to maintenance reasons, and who has access to
which part of the infrastructure).

Now the interesting question: is something "stuck" in the 2948G-L3, and
chances are good that it will be back to working after a reload, or is
it a known effect that ACLs just don't work properly?

IOS is cat2948g-in-mz.120-18.W5.22b.bin (which is the most recent version,
as far as I know).

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


More information about the cisco-nsp mailing list