[c-nsp] Strange bug in Catalyst 6500 + SUP720 + ACL
Juan Angel Menendez
juan at mecon.gov.ar
Wed Feb 7 09:15:48 EST 2007
At 21:58 06/02/2007, Phil Mayers wrote:
>David Prall wrote:
> > Correct. User at 1.1.1.1 sends a tcp syn to 10.11.1.1 port 80. (inbound)
>
>Erm... Unless I'm going odd due to lack of sleep, a SYN from 1.1.1.1 to
>10.11.1.1 would be OUTBOUND on the config given:
>
>interface vlan 7
> ip address 10.11.0.0 255.255.0.0
> ip access-group 170 out
>
>Wouldn't it?
Yes.
Anyways, to make it easier, forget the established line. The
conflictive line is:
access-list 170 permit tcp any any range 1018 1023
If I remove that line I can't connect anymore.
>Assuming the command is present in your version (upgrade to SXF6 ASAP)
>what does this say:
>
>sh tcam interface vl7 acl out ip
Here you go:
#sh tcam interface vlan 7 acl out ip
* Global Defaults shared
Entries from Bank 0
Entries from Bank 1
permit tcp any any fragments
permit tcp any any range 1018 1023 (49 matches)
Regards,
Juan
More information about the cisco-nsp
mailing list