[[nsp] ACLs on 2948G-L3]

Mark Boolootian booloo at ucsc.edu
Fri May 30 10:54:46 EDT 2003


> i have run into something similar on a 7513 (12.2(15)T) - the acl would 
> permit/deny random traffic (blocking things that were permitted, allowing
> what wasn't) - BUT, if i added a log statment to most (all) of the 
> entries, suddenly, it worked.  the counters worked, the entries matched 
> the right packets, etc (of course the side effect was that 90%+ of the 
> traffic was logged).
> i was unable to find a bug report, and my attempted debugs yielded 
> nothing, so i ended up taking the acl down (security, what security)


Here's something I posted last October:

Date: Fri, 11 Oct 2002 10:55:21 -0700
>From: Mark Boolootian <booloo>
To: cisco-nsp at puck.nether.net
Subject: ACL leakage on VIP4

  
Folks,
  
Last week we discovered that traffic was leaking past our ACLs on our
campus entrance router.  The leakage occurred on our 7507 for traffic
flowing through a VIP4-80 (OC-12 PA) linecard using named access lists.
We're running 12.0(19)S2.
  
The simple act of removing the named access list and reapplying it halted 
the leakage, and it has not (yet) reoccurred.  Cisco acknowledged a
previous report of this problem, which has a bugid:  CSCdw75195
  
The bug report suggests the combination of VIP, named access lists, and
distributed CEF may be a factor.  Of possible note is that when logged
into the VIP, running 'show access-list' returns all the standard and
extended access lists, but doesn't show any of the named access lists.
We are using compiled access lists.  Still waiting to hear from Cisco on
the signficance of this.
  
Has anyone else seen this?
  
mb
---
Mark Boolootian
UC Santa Cruz


More information about the cisco-nsp mailing list