[c-nsp] Access-list not working on eth sub if
james edwards
lists.james.edwards at gmail.com
Wed Apr 28 18:15:56 EDT 2010
This is on a 2811 running c2800nm-spservicesk9-mz.124-21a.
I have an access list applied as such:
!
interface GigabitEthernet0/0/0
description QMOE service
no ip address
ip flow ingress
negotiation auto
!
interface GigabitEthernet0/0/0.1
description PtP VLAN to xxx
encapsulation dot1Q xxx
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip access-group 100 out
no cdp enable
service-policy output QMOE-SHAPE
The access-lists seem to not work when configed "out" but works fine
configured "in"
Ping through the interface:
xxxxx#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
xxxxx#sho access-lists 100
Extended IP access list 100
10 deny tcp any any range 135 139
20 deny udp any any range 135 netbios-ss
30 deny tcp any any eq 593
40 deny tcp any any eq 4444
50 deny udp any any eq tftp
60 deny tcp any any eq 1433
70 deny udp any any eq 1434
80 permit ip any any
xxxx#
The counters do not advance.
I can connect through the interface to a host on port 135, even though the
ACL denies port 135::
xxxxx#telnet xxx.xxx.xxx.xxx 135
Trying 10.14.8.50, 135 ... Open
I looked through the bugs for 12.4/2811 and did not find anything that
matches.
Am I missing something here or is this likely a bug ?
Thanks in advance !
--
James H. Edwards
Senior Network Systems Administrator
Judicial Information Division
jedwards at nmcourts.gov
More information about the cisco-nsp
mailing list