[f-nsp] ACL's doesnt work

Cliff Albert cliff-nsp at oisec.net
Mon Sep 27 05:14:36 EDT 2004


On Mon, Sep 27, 2004 at 11:10:44AM +0200, Calle Lidstr?m wrote:

> >>I have a BigIron 4000 running 07.7.01cT53 that the ACL's stops working 
> >>on, it sounds a bit weird.. :-)
> >>
> >>When I apply the ACL f00-out, everything is working as expected but 
> >>after ~10 hours 0/0 can connect to 10.1.1.2, any port/protocol.
> >>
> >>I need to re-apply the access-grup statement on the interface for the 
> >>ACL to become "active" again.
> >>
> >>Have anyone seen this problem before?
> >
> >
> >No, but I have the problem of ACL's working in very odd behaviour. They
> >are very very very flacky if you apply them on virtual interfaces. I
> >know this goes trough CPU however the documentation says that it should
> >process it by CAM on 07.7.01 (which I'm also running on a BI4000).
> >
> >You did an ip rebind-acl all ?
> 
> No, that's a new command for me. Though, I'll try that one next time I 
> notice the problem.
> 
> This behaviour is primarly on ve-interfaces.

I also only have seen ACL issues on ve-interfaces. Also weird issues
where ACL's are matching packets that are actually on another vlan but
on the same physical interface because it has multiple VE's.

I've been contacting my support engineer for this issue but they have
still not found the issue after more then 16 months now.

BTW for good notice I'm using an HP9304 which actually is an relabeled
Foundry Big Iron 4K with a huge s/Foundry/HP/ over the firmware. It uses
EP blades (which is JetCore on Foundry).

-- 
Cliff Albert <cliff at oisec.net>



More information about the foundry-nsp mailing list