[nsp] Strange routing and ACL problem

Sam Stickland sam_ml at spacething.org
Sat Nov 22 11:02:07 EST 2003


Hmm.. Did some further digging and found that the ACLs only make it work if
the log statement is next to the networks I'm specifying.

And, IIRC, the log statement will force the packets to be software switched,
rather than hardware?

An IOS bug then?

Sam

----- Original Message -----
From: "Sam Stickland" <sam_ml at spacething.org>
To: "Cisco Nsp" <cisco-nsp at puck.nether.net>
Sent: Saturday, November 22, 2003 3:48 PM
Subject: [nsp] Strange routing and ACL problem


> Hi,
>
> I've got a 6509 connected to a 7206 using a /30 and OSPF. The 7206
> advertises about 5 networks (each in their own VLAN) via OSPF to the 6509.
> The 6509 can reach all of the networks fine.
>
> The 6509 is connected via a different port and VLAN (call it VLAN x) to a
> bunch of other equipement. Everything in VLAN x can only access one of the
> networks from the 7206. Packets to the other networks are just getting
> dropped.
>
> To debug it I placed an ACL on VLAN x on the 6509 and uncovered some very
> strange behaviour.
>
> If I explicitity allow access to one of the networks on the 7206 using an
> ACL on the 6509 the packets are allowed through. If I add an ACL with a
> "permit ip any any", or use no ACL at all it doesn't work. I explicity
have
> to list the source or the destination for it to work.
>
> The network layout is like this:
>
>             /30
>     6509 ------------ 7206
>       |               x.x.a.2/27
> Trunk |               x.x.b.2/24
>       |               x.x.c.2/26
>       |               x.x.d.2/24
>     3550
>       |
>       | VLAN x
>       |
>     Host A
>    x.x.e.1/24
>
> Without any access-list on VLAN x on the 6509 Host A can only ping x.x.a.2
> and x.x.c.2
>
> If I create an ACL like this:
>
> ip access-list extended debug-routing-1
>   permit ip any x.x.b.0 0.0.0.255 log
>   permit ip any any
>
> int VLAN x
>   ip access-group debug-routing-1 in
>
> Then Host A is now able to ping x.x.a.2, x.x.b.2 and x.x.c.2 but not
x.x.d.2
>
> If I create an access list that explicity allows access to x.x.d.0/24 then
> it can. Also, if I create an ACL explicity allowing accessing from Host
A's
> subnet (x.x.e.0/24) then it can access all the networks on the 7206.
>
> Further more, specify an mask that explicity covers a range (for example
> permit ip x.y.z.0 0.0.31.255 any for a /19) doesn't work. The sources
either
> have to be explicity
>
> I've also tried static routing the networks rather than using OSPF and
> gotten the same result. Equipement I've tested from (Host A in the
diagrams)
> have been a 7206, a 2651 and a linux host. On the cisco routers (which
have
> variously been running OSPF or static routes), the routing and CEF tables
> have been correct, and the OSPF database looks good.
>
> >From the networks listed above it looks like it's only affecting /24s,
but
> I've tried configuring other networks of different sizes without any luck
> (including /26s and /27s).
>
> The 6509 is running 12.1(20)E native.
>
> Has anyone got any idea what the hell is going on here?
>
> Sam
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list