[c-nsp] CBAC and ACL broken for PPPoE on 7513?
Rodney Dunn
rodunn at cisco.com
Tue Jul 18 11:12:00 EDT 2006
You seem to be using the 75xx for a lot of broadband type
aggregation that we don't recommend. :)))
btw, I just pinged the DE's yesterday to see if they are going
to be able to fix the other bug. The jury is still out.
On Tue, Jul 18, 2006 at 10:35:31AM -0400, Joe Maimon wrote:
> I have had some issues in the past where ACL's were ignored on 7513 if
> not for "ip inspect" being present on the interface.
That is probably forcing those packets to be punted out of the distributed
path and the ACL checks are working at the next layer (RSP, process level, etc.)
>
> Unfortunately TAC was never able to accurately reproduce the problem,
> even though I experienced it consistently.
You can never give them too many or too muy information on exactly
what the trigger is. Once that is understood recreates are pretty easy.
You say you consistently hit it but exactly what is the setup and
I might can give you some guidance.
>
> Now I am suspecting that even on 12.4(8) that certain ACL's are
> "leaking" even with CBAC turned on.
Please don't suspect. We'd need sniffer traces on both sides to
prove it.
>
> What I would like to know is how realistic is it of me to expect TAC to
> be able to setup a radius server assigning a preconfigured on the router
> ACL (with interface-config VSA, NOT downloaded ACL) to a pppoe user and
> pound it with packets to see what gets by.
It's realistic and they can do it. It's what they are asked to do
that is usually not very clear.
Rodney
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list