[nsp] Strange routing and ACL problem

Sam Stickland sam_ml at spacething.org
Sat Nov 22 10:48:14 EST 2003 

Hi,

I've got a 6509 connected to a 7206 using a /30 and OSPF. The 7206
advertises about 5 networks (each in their own VLAN) via OSPF to the 6509.
The 6509 can reach all of the networks fine.

The 6509 is connected via a different port and VLAN (call it VLAN x) to a
bunch of other equipement. Everything in VLAN x can only access one of the
networks from the 7206. Packets to the other networks are just getting
dropped.

To debug it I placed an ACL on VLAN x on the 6509 and uncovered some very
strange behaviour.

If I explicitity allow access to one of the networks on the 7206 using an
ACL on the 6509 the packets are allowed through. If I add an ACL with a
"permit ip any any", or use no ACL at all it doesn't work. I explicity have
to list the source or the destination for it to work.

The network layout is like this:

            /30
    6509 ------------ 7206
      |               x.x.a.2/27
Trunk |               x.x.b.2/24
      |               x.x.c.2/26
      |               x.x.d.2/24
    3550
      |
      | VLAN x
      |
    Host A
   x.x.e.1/24

Without any access-list on VLAN x on the 6509 Host A can only ping x.x.a.2
and x.x.c.2

If I create an ACL like this:

ip access-list extended debug-routing-1
  permit ip any x.x.b.0 0.0.0.255 log
  permit ip any any

int VLAN x
  ip access-group debug-routing-1 in

Then Host A is now able to ping x.x.a.2, x.x.b.2 and x.x.c.2 but not x.x.d.2

If I create an access list that explicity allows access to x.x.d.0/24 then
it can. Also, if I create an ACL explicity allowing accessing from Host A's
subnet (x.x.e.0/24) then it can access all the networks on the 7206.

Further more, specify an mask that explicity covers a range (for example
permit ip x.y.z.0 0.0.31.255 any for a /19) doesn't work. The sources either
have to be explicity

I've also tried static routing the networks rather than using OSPF and
gotten the same result. Equipement I've tested from (Host A in the diagrams)
have been a 7206, a 2651 and a linux host. On the cisco routers (which have
variously been running OSPF or static routes), the routing and CEF tables
have been correct, and the OSPF database looks good.

>From the networks listed above it looks like it's only affecting /24s, but
I've tried configuring other networks of different sizes without any luck
(including /26s and /27s).

The 6509 is running 12.1(20)E native.

Has anyone got any idea what the hell is going on here?

Sam

More information about the cisco-nsp mailing list