[c-nsp] Cisco CBAC one stateful rule on an interface bypasses rules on other interfaces

[Marco Moock]

Hello!

I have 2 vlan interfaces with both CBAC (inspect) ACLs.

I noticed that in that case the 2nd CBAC ACL (on the outgoing
interface) is not being processed, even if it would reject the packet.

It is working if traffic goes from an incoming interface without an
inspect rule. The ACL on the out interface is being processed in that
case.

Is that intended behavior, so if one inspect temporary rule exist, the
second ACL is bypassed?

In case I would like to have inspect rules on both interfaces for
traffic to the internet and to have firewalls between the VLANs, what
is the preferred way to handle this?

interface Vlan5
 ipv6 inspect spi-fw-vlan5 in
 ipv6 traffic-filter vlan5-acl-out out

interface Vlan30
 ipv6 inspect spi-fw-vlan30 in
 ipv6 traffic-filter vlan30-acl-out out

Both lists have a deny ipv6 any any at the end and the rejects are
being logged.

If I now try to connect from a machine in VLAN 5 to a machine in 30 to
a destination address/port that is should be rejected by
vlan30-acl-out, the traffic goes through.

If I try to do that from VLAN2 (no ACL attached), the ACL
vlan30-acl-out is being processed and the packet will be rejected.

-- 
kind regards
Marco

Send unsolicited bulk mail to 1765382257muell at stinkedores.dorfdsl.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20251211/5cc6928e/attachment.sig>