[f-nsp] ACL's on VE match traffic for other VE

Cliff Albert cliff-nsp at oisec.net
Sat Oct 16 09:06:21 EDT 2004 

Hi there,

I have the following issue with my HP Procurve 9304m (which is a Foundry
BigIron 4K) running 07.7.01bT53.

The problem is as following:

The foundry reports a lot of ACL hits (see logfile) on my access-list kpn-in,
however the traffic it matches is not on the specific VE interface. The kpn-in
acl is bonded to ve 38, however the mac address that violates the acl is on ve20.

Also all ACL's are handled by CPU, but as this is a jetcore setup with a recent
software it should handle the ACL's in hardware. I know the flow-mode command is
responsible for it, but without it, it looks like it applies on the physical
interface.

I have ip auto-acl-rebind active.

Anyone got any ideas on why this is happening, because HP Support is very unhelpful.

--- Configuration and Logging Below ---

vlan 20 name VLAN_AMSIX by port
 tagged ethe 1/2 
 router-interface ve 20

vlan 38 name VLAN_KPN by port
 tagged ethe 1/2 
 router-interface ve 38

interface ve 38
 port-name KPN Eurorings
 ip access-group flow-mode
 ip access-group kpn-in in 
 ip address 134.222.97.230/30
 no ip redirect

telnet at ams-br01>sh arp mac-address 0005.8501.9400
      IP Address          MAC Address         Type        Age       Port      
1     195.69.144.72       0005.8501.9400      Dynamic     0         1/2       

telnet at ams-br01>sh mac 0005.8501.9400
Total active entries from all ports = 243
Type D:Dynamic  S:Static  L:Lock Address  M:Secure Mac
MAC Address     Port  Age Type DMA Valid Flags    VLAN DMA:CAM Index ...
0005.8501.9400   1/2    7    D 00000000-00000001    20   0:33000

CAM Entry Flag: 0000000100000000H
CIDX0: 33000[hw 16616 | 0x040e8]


Hex dump:
0000: 00 05 85 01 94 00 01 40 01 00 00 00 00 50 00 01 | ....... at .....P..
0010: 00 07 00 00 00 01 00 00 00 00 00 00 00 00 00 00 | ................
0020: 00 00 ff ff 00 00 80 e8 00 00 00 00 00 00 ff 00 | ................
0030: 00 00 00 00                                     | ....

Flags: home_cam_ready   


ACL kpn-in:

deny ip 192.168.0.0/16 any (Flows: 101343, Packets: 1998, Rule cams
used: N/A)
deny ip 172.16.0.0/12 any (Flows: 75688, Packets: 2250, Rule cams used:
N/A)
deny ip 10.0.0.0/8 any (Flows: 62332, Packets: 3923, Rule cams used:
N/A)
deny ip 127.0.0.0/8 any (Flows: 31254, Packets: N/A, Rule cams used:
N/A)
deny ip any host 62.133.194.24 (Flows: 20650, Packets: 1392, Rule cams
used: N/A)
permit ip any 62.133.192.0/18 (Flows: 316674080, Packets: N/A, Rule cams
used: N/A)
permit ip any 134.222.97.228/30 (Flows: 63638, Packets: N/A, Rule cams
used: N/A)
deny ip any any log (Flows: 5367348, Packets: 6275067, Rule cams used:
N/A)

ACL Logging:

Oct 16 14:59:20:W:list kpn-in denied tcp 80.242.8.140(1283)(Ethernet 1/2
0005.8501.9400) -> 80.242.111.48(20168), 1 event(s)
Oct 16 14:59:20:W:list kpn-in denied tcp 80.242.8.140(1274)(Ethernet 1/2
0005.8501.9400) -> 80.242.111.40(20168), 1 event(s)
Oct 16 14:59:20:W:list kpn-in denied tcp 80.242.8.140(1269)(Ethernet 1/2
0005.8501.9400) -> 80.242.111.35(20168), 1 event(s)

-- 
Cliff Albert <cliff at oisec.net>

More information about the foundry-nsp mailing list