[nsp] ACL leakage?

[Keith McCallion]

Late last week we started to notice unusual traffic on the public side of
our network. We saw packets come in that should have been filtered by our
perimeter access list. All external interfaces had the access list applied
correctly, so we started to do some testing from the outside and
discovered that one of our transit interfaces was occasionally letting
packets in without applying the ACL.

We opened a case with Cisco, and their response was that they had heard of
this problem once before but had not been able to duplicate in their lab.
It cropped up immediately after the last reboot of the router, and went
away as soon as the access list was reapplied to the interface. This was
on a GSR, Engine 1 Gig interface.

Consider this a heads up and yet another justification for IDS.

If you've seen the same issue, I'd appreciate hearing from you so we can
hopefully learn something from each others problems.


--
Keith McCallion
Sr. Network Engineer
United Online (NetZero/Juno/BlueLight Internet)