[c-nsp] ASR920: egress ACL on BDIs

Gert Doering gert at greenie.muc.de
Sun Jan 19 07:57:25 EST 2020


On Sun, Jan 19, 2020 at 12:39:18PM +0100, Christian Meutes wrote:
> if you use ???copy src dst??? then a ???no $something??? line right in the
> beginning of a new block of configuration lines (eg. for being used to
> first deconfigure the whole ACL block and then to reapply it again) might
> miss to apply the ???no ...??? initially first, which will lead to a merge
> behavior instead of a full ACL replace.
> This bug not only affects ACLs but other commands as well. Unsure if it is
> fixed in newest XE versions. Could this also affect you?

Our ACL config snippets do have 

  no ip access-list extended FOOBAR
  ip access-list extended FOOBAR
    permit ...
    permit ...
    deny ...

in them, so yes, this effect would result in "merge" behaviour (which
would very much puzzle me afterwards when looking at the resulting 
config diff, I think :-) ).

It does not explain what we currently see - these ACLs have been installed
"from zero", and the resulting running- and startup-config have all the
lines "in".  Just the filtering hardware doesn't...


"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20200119/cc5d168a/attachment-0001.sig>

More information about the cisco-nsp mailing list