[f-nsp] ACL's doesnt work
Cliff Albert
cliff-nsp at oisec.net
Mon Sep 27 04:36:03 EDT 2004
On Mon, Sep 27, 2004 at 10:12:31AM +0200, Calle Lidstr?m wrote:
> I have a BigIron 4000 running 07.7.01cT53 that the ACL's stops working
> on, it sounds a bit weird.. :-)
>
> When I apply the ACL f00-out, everything is working as expected but
> after ~10 hours 0/0 can connect to 10.1.1.2, any port/protocol.
>
> I need to re-apply the access-grup statement on the interface for the
> ACL to become "active" again.
>
> Have anyone seen this problem before?
No, but I have the problem of ACL's working in very odd behaviour. They
are very very very flacky if you apply them on virtual interfaces. I
know this goes trough CPU however the documentation says that it should
process it by CAM on 07.7.01 (which I'm also running on a BI4000).
You did an ip rebind-acl all ?
> !
> interface ethernet 1/2
> port-name m00-f00
> route-only
> ip access-group f00-out out
> ip address 10.1.1.1 255.255.255.252
> !
>
> ip access-list extended f00-out
> permit tcp host 10.2.1.1 host 10.1.1.2 eq 26
> deny ip any any
--
Cliff Albert <cliff at oisec.net>
More information about the foundry-nsp
mailing list