[c-nsp] Strange bug in Catalyst 6500 + SUP720 + ACL

Juan Angel Menendez juan at mecon.gov.ar
Wed Feb 7 09:15:48 EST 2007



At 21:58 06/02/2007, Phil Mayers wrote:

>David Prall wrote:
> > Correct. User at 1.1.1.1 sends a tcp syn to 10.11.1.1 port 80. (inbound)
>
>Erm... Unless I'm going odd due to lack of sleep, a SYN from 1.1.1.1 to
>10.11.1.1 would be OUTBOUND on the config given:
>
>interface vlan 7
>   ip address 10.11.0.0 255.255.0.0
>   ip access-group 170 out
>
>Wouldn't it?

Yes.

Anyways, to make it easier, forget the established line. The 
conflictive line is:

access-list 170 permit tcp any any range 1018 1023

If I remove that line I can't connect anymore.

>Assuming the command is present in your version (upgrade to SXF6 ASAP)
>what does this say:
>
>sh tcam interface vl7 acl out ip

Here you go:

#sh tcam interface vlan 7 acl out ip

* Global Defaults shared


Entries from Bank 0


Entries from Bank 1

     permit       tcp any any fragments
     permit       tcp any any range 1018 1023 (49 matches)


Regards,
Juan 



More information about the cisco-nsp mailing list