[c-nsp] FWSM breaks router ACL

Ryan Hughes rshughes at gmail.com
Tue Sep 30 10:28:33 EDT 2008


This sounds like similar issues one of my customers has had on this code
train with the FWSM's. Here's the bug id: CSCsI39710. We had to upgrade the
code to SXH4 to resolve this. It may be something else but the experience
sounds similar to what he was experiencing.


On Tue, Sep 30, 2008 at 9:41 AM, Jeff Fitzwater <jfitz at princeton.edu> wrote:

> I have FWSM running 4.0(2) in 6509 with sup 720 CXL running 12.2(33)SXH2a
>
> The FWSM runs in transparent mode and appears between our ISPs and edge
> router.   The FWSM has 3 BVIs , one for each ISP.
>
> The same  router connects to 3 downstream routers via 3 different gig
> interfaces.
>
> With the FWSM OFFLINE the router connects directly to the ISP via 3 vlans
> 3553, 4000, 4001 via 3 corresponding L2 ports with same VLAN.
>
> The FWSM has its OUTSIDE interfaces assigned to VLANS 4050, 4051, 4052 and
> INSIDE to the 3553, 4000,4001
>
> When the FWSM is ONLINE the L2 ports get changed to VLANS 4050, 4051, 4052.
>
> The VLANS with the ACLs  that connect to the inside routers, are assigned
> vlans 268, 524, 525
>
> PROBLEM
>
>
> The three SVI interfaces that connect to inside routers have outbound ACLs
> which no longer work (pass everything) as long as FWSM is configured ONLINE
> .
>
>
> I have the feeling it is related to the CEF  not having the correct info
> since the packets are arriving on vlan 4050,4051,4052 but they still think
> they are on vlans 3553, 4000 and 4001.   I believe the ACLs get info from
> CEF to do packet matching and now they no longer match.
>
>
> Has anyone seen this problem or know of fix?
>
> I have ticket open with CISCO support.
>
>
>
>
> Thanks for any help.
>
>
>
> Jeff Fitzwater
> OIT Network Systems
> Princeton University
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list