[c-nsp] "dynamic" access-list

Ueli Heuer papierkuebel at gmail.com
Thu Jun 9 17:51:04 EDT 2005 

Hi all,

I have just seen something very strange:

on two 7304 NPE-G100 I configured an accesslist:

ip access-list extended DSLAMs
  permit tcp a.b.c.0 0.0.0.255 any eq telnet
  permit tcp a.b.c.0 0.0.0.255 any eq www
  permit udp a.b.c.0 0.0.0.255 any eq snmp
  permit icmp a.b.c.0 0.0.0.255 any
 
an applied to an interface

interface GigabitEthernet0.18
 encapsulation dot1Q 18
  ip address x.y.z.3 255.255.255.224
  ip access-group DSLAMs out
  no ip redirects 
  no ip proxy-arp
  ip mtu 1500
  ip flow ingress
  standby 2 ip x.y.z.1
 standby 2 authentication md5 key-string <removed>
 
the same thing I configuerd on the second 7304

now I tried to ping the hosts from a 'wrong' IP-Address, to check if the access
list is working. I did not believe, the pings replied!

so I did go back and saw following access-list on the router:

ip access-list extended DSLAMs
  permit tcp a.b.c.0 0.0.0.255 any eq telnet
  permit tcp a.b.c.0 0.0.0.255 any eq www
  permit udp a.b.c.0 0.0.0.255 0.0.0.0 0.0.0.3 eq snmp
  permit icmp a.b.c.0 0.0.0.255 any

and some time later

ip access-list extended DSLAMs
  permit tcp a.b.c.0 0.0.0.255 any eq telnet
  permit tcp a.b.c.0 0.0.0.255 any eq www
  permit udp a.b.c.0 0.0.0.255 0.0.0.0 0.0.0.7 eq snmp
  permit icmp a.b.c.0 0.0.0.255 any

and some time later

ip access-list extended DSLAMs
  permit tcp a.b.c.0 0.0.0.255 any eq telnet
  permit tcp a.b.c.0 0.0.0.255 any eq www
  permit udp a.b.c.0 0.0.0.255 0.0.0.0 0.0.0.15 eq snmp
  permit icmp a.b.c.0 0.0.0.255 host 0.0.0.0
 
strange, isn't it?


the second router has the exactly same hard-/software. the only
difference is of course the ip-address of the interface.

the IOS I run is 
Cisco IOS Software, 7300 Software (C7300-K91P-M), Version 12.2(25)S3,
RELEASE SOFTWARE (fc1)

did someone else see so strange things? 
coud I do something else then upgrade to Version 12.2.(25)S4 ? (well 
I have rewriten the extended list to standard list, this version is
now 'static' but not so specific as the extended accesslist)

Kind regards 
  Ueli

More information about the cisco-nsp mailing list