[nsp] Strange routing and ACL problem

Sam Stickland sam_ml at spacething.org
Sat Nov 22 11:02:07 EST 2003

Hmm.. Did some further digging and found that the ACLs only make it work if
the log statement is next to the networks I'm specifying.

And, IIRC, the log statement will force the packets to be software switched,
rather than hardware?

An IOS bug then?


----- Original Message -----
From: "Sam Stickland" <sam_ml at spacething.org>
To: "Cisco Nsp" <cisco-nsp at puck.nether.net>
Sent: Saturday, November 22, 2003 3:48 PM
Subject: [nsp] Strange routing and ACL problem

> Hi,
> I've got a 6509 connected to a 7206 using a /30 and OSPF. The 7206
> advertises about 5 networks (each in their own VLAN) via OSPF to the 6509.
> The 6509 can reach all of the networks fine.
> The 6509 is connected via a different port and VLAN (call it VLAN x) to a
> bunch of other equipement. Everything in VLAN x can only access one of the
> networks from the 7206. Packets to the other networks are just getting
> dropped.
> To debug it I placed an ACL on VLAN x on the 6509 and uncovered some very
> strange behaviour.
> If I explicitity allow access to one of the networks on the 7206 using an
> ACL on the 6509 the packets are allowed through. If I add an ACL with a
> "permit ip any any", or use no ACL at all it doesn't work. I explicity
> to list the source or the destination for it to work.
> The network layout is like this:
>             /30
>     6509 ------------ 7206
>       |               x.x.a.2/27
> Trunk |               x.x.b.2/24
>       |               x.x.c.2/26
>       |               x.x.d.2/24
>     3550
>       |
>       | VLAN x
>       |
>     Host A
>    x.x.e.1/24
> Without any access-list on VLAN x on the 6509 Host A can only ping x.x.a.2
> and x.x.c.2
> If I create an ACL like this:
> ip access-list extended debug-routing-1
>   permit ip any x.x.b.0 log
>   permit ip any any
> int VLAN x
>   ip access-group debug-routing-1 in
> Then Host A is now able to ping x.x.a.2, x.x.b.2 and x.x.c.2 but not
> If I create an access list that explicity allows access to x.x.d.0/24 then
> it can. Also, if I create an ACL explicity allowing accessing from Host
> subnet (x.x.e.0/24) then it can access all the networks on the 7206.
> Further more, specify an mask that explicity covers a range (for example
> permit ip x.y.z.0 any for a /19) doesn't work. The sources
> have to be explicity
> I've also tried static routing the networks rather than using OSPF and
> gotten the same result. Equipement I've tested from (Host A in the
> have been a 7206, a 2651 and a linux host. On the cisco routers (which
> variously been running OSPF or static routes), the routing and CEF tables
> have been correct, and the OSPF database looks good.
> >From the networks listed above it looks like it's only affecting /24s,
> I've tried configuring other networks of different sizes without any luck
> (including /26s and /27s).
> The 6509 is running 12.1(20)E native.
> Has anyone got any idea what the hell is going on here?
> Sam
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list