[c-nsp] FWSM breaks router ACL

Jeff Fitzwater jfitz at Princeton.EDU
Tue Sep 30 11:21:20 EDT 2008 

Ryan do you hve any info on that BUG ID CSCsI39710?   I cannot find it  
in the BUG lookup tool nor do I see the IOS SXH4.


Thanks for the info.


Jeff
On Sep 30, 2008, at 10:28 AM, Ryan Hughes wrote:

> This sounds like similar issues one of my customers has had on this  
> code
> train with the FWSM's. Here's the bug id: CSCsI39710. We had to  
> upgrade the
> code to SXH4 to resolve this. It may be something else but the  
> experience
> sounds similar to what he was experiencing.
>
>
> On Tue, Sep 30, 2008 at 9:41 AM, Jeff Fitzwater  
> <jfitz at princeton.edu> wrote:
>
>> I have FWSM running 4.0(2) in 6509 with sup 720 CXL running  
>> 12.2(33)SXH2a
>>
>> The FWSM runs in transparent mode and appears between our ISPs and  
>> edge
>> router.   The FWSM has 3 BVIs , one for each ISP.
>>
>> The same  router connects to 3 downstream routers via 3 different gig
>> interfaces.
>>
>> With the FWSM OFFLINE the router connects directly to the ISP via 3  
>> vlans
>> 3553, 4000, 4001 via 3 corresponding L2 ports with same VLAN.
>>
>> The FWSM has its OUTSIDE interfaces assigned to VLANS 4050, 4051,  
>> 4052 and
>> INSIDE to the 3553, 4000,4001
>>
>> When the FWSM is ONLINE the L2 ports get changed to VLANS 4050,  
>> 4051, 4052.
>>
>> The VLANS with the ACLs  that connect to the inside routers, are  
>> assigned
>> vlans 268, 524, 525
>>
>> PROBLEM
>>
>>
>> The three SVI interfaces that connect to inside routers have  
>> outbound ACLs
>> which no longer work (pass everything) as long as FWSM is  
>> configured ONLINE
>> .
>>
>>
>> I have the feeling it is related to the CEF  not having the correct  
>> info
>> since the packets are arriving on vlan 4050,4051,4052 but they  
>> still think
>> they are on vlans 3553, 4000 and 4001.   I believe the ACLs get  
>> info from
>> CEF to do packet matching and now they no longer match.
>>
>>
>> Has anyone seen this problem or know of fix?
>>
>> I have ticket open with CISCO support.
>>
>>
>>
>>
>> Thanks for any help.
>>
>>
>>
>> Jeff Fitzwater
>> OIT Network Systems
>> Princeton University
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list