[c-nsp] CBAC and fragmented packets
Victor Sudakov
vas at mpeks.tomsk.su
Sun Feb 19 21:56:44 EST 2012
Victor Sudakov wrote:
> As soon as I enable CBAC on the outside interface:
>
> interface Serial0/0
> ip access-group DENY_ALL in
> ip inspect FOO out
>
> those non-initial fragments stop arriving. I think CBAC does not
> create dynamic ACL entries for the fragments for some reason.
This must be CSCdu30492 and CSCdx17419.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the cisco-nsp
mailing list