[f-nsp] ACL's doesnt work

Tine Hutchison foundry-nsp at well-duh.net
Mon Sep 27 14:30:04 EDT 2004


Are you running any sort of PBR, by any chance?

Tine

Quoting Cliff Albert <cliff-nsp at oisec.net>:

> On Mon, Sep 27, 2004 at 11:10:44AM +0200, Calle Lidstr?m wrote:
>
> > >>I have a BigIron 4000 running 07.7.01cT53 that the ACL's stops working
> > >>on, it sounds a bit weird.. :-)
> > >>
> > >>When I apply the ACL f00-out, everything is working as expected but
> > >>after ~10 hours 0/0 can connect to 10.1.1.2, any port/protocol.
> > >>
> > >>I need to re-apply the access-grup statement on the interface for the
> > >>ACL to become "active" again.
> > >>
> > >>Have anyone seen this problem before?
> > >
> > >
> > >No, but I have the problem of ACL's working in very odd behaviour. They
> > >are very very very flacky if you apply them on virtual interfaces. I
> > >know this goes trough CPU however the documentation says that it should
> > >process it by CAM on 07.7.01 (which I'm also running on a BI4000).
> > >
> > >You did an ip rebind-acl all ?
> >
> > No, that's a new command for me. Though, I'll try that one next time I
> > notice the problem.
> >
> > This behaviour is primarly on ve-interfaces.
>
> I also only have seen ACL issues on ve-interfaces. Also weird issues
> where ACL's are matching packets that are actually on another vlan but
> on the same physical interface because it has multiple VE's.
>
> I've been contacting my support engineer for this issue but they have
> still not found the issue after more then 16 months now.
>
> BTW for good notice I'm using an HP9304 which actually is an relabeled
> Foundry Big Iron 4K with a huge s/Foundry/HP/ over the firmware. It uses
> EP blades (which is JetCore on Foundry).
>
> --
> Cliff Albert <cliff at oisec.net>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>






More information about the foundry-nsp mailing list