[c-nsp] ASR920: egress ACL on BDIs
Gert Doering
gert at greenie.muc.de
Sun Jan 19 07:57:25 EST 2020
Hi,
On Sun, Jan 19, 2020 at 12:39:18PM +0100, Christian Meutes wrote:
> if you use ???copy src dst??? then a ???no $something??? line right in the
> beginning of a new block of configuration lines (eg. for being used to
> first deconfigure the whole ACL block and then to reapply it again) might
> miss to apply the ???no ...??? initially first, which will lead to a merge
> behavior instead of a full ACL replace.
>
> This bug not only affects ACLs but other commands as well. Unsure if it is
> fixed in newest XE versions. Could this also affect you?
Our ACL config snippets do have
no ip access-list extended FOOBAR
ip access-list extended FOOBAR
permit ...
permit ...
deny ...
end
in them, so yes, this effect would result in "merge" behaviour (which
would very much puzzle me afterwards when looking at the resulting
config diff, I think :-) ).
It does not explain what we currently see - these ACLs have been installed
"from zero", and the resulting running- and startup-config have all the
lines "in". Just the filtering hardware doesn't...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20200119/cc5d168a/attachment-0001.sig>
More information about the cisco-nsp
mailing list