[[nsp] ACLs on 2948G-L3]

Joshua Sahala joshua.ej.smith at usa.net
Fri May 30 13:26:09 EDT 2003 

i have run into something similar on a 7513 (12.2(15)T) - the acl would 
permit/deny random traffic (blocking things that were permitted, allowing
what wasn't) - BUT, if i added a log statment to most (all) of the 
entries, suddenly, it worked.  the counters worked, the entries matched 
the right packets, etc (of course the side effect was that 90%+ of the 
traffic was logged).
i was unable to find a bug report, and my attempted debugs yielded 
nothing, so i ended up taking the acl down (security, what security)

/joshua

Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
> 
> I always knew that the Catalyst 2948G-L3 is a piece of junk, but today we
> had a new and exciting effect: ACLs only work "sometimes".
> 
> I have an ACL, incoming on the Gig50 interface, that has a 
> 
>   deny ip any host <somehost>
> 
> as the very first statement.  NO permit before that.
> 
> The host is on a routed vlan interface (bvi40).
> 
> The deny works for "traceroute", but "ping" or "telnet" *do* get through
> just fine to the machine, as soon as it's in the CEF adjacency cache.  
> Switching off CEF doesn't work ("not supported on this hardware"), of
> course.
> 
> We have now moved the ACL to the other end of the GigE line, but I don't
> want to have it there (due to maintenance reasons, and who has access to
> which part of the infrastructure).
> 
> Now the interesting question: is something "stuck" in the 2948G-L3, and
> chances are good that it will be back to working after a reload, or is
> it a known effect that ACLs just don't work properly?
> 
> IOS is cat2948g-in-mz.120-18.W5.22b.bin (which is the most recent version,
> as far as I know).
> 
> gert
> 
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                           
//www.muc.de/~gert/
> Gert Doering - Munich, Germany                            
gert at greenie.muc.de
> fax: +49-89-35655025                       
gert.doering at physik.tu-muenchen.de
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



"Walk with me through the Universe,
 And along the way see how all of us are Connected.
 Feast the eyes of your Soul,
 On the Love that abounds.
 In all places at once, seemingly endless,
 Like your own existence."
     - Stephen Hawking -

More information about the cisco-nsp mailing list