[f-nsp] ACL's doesnt work
Cliff Albert
cliff-nsp at oisec.net
Mon Sep 27 14:49:54 EDT 2004
On Mon, Sep 27, 2004 at 11:30:04AM -0700, Tine Hutchison wrote:
> Are you running any sort of PBR, by any chance?
No, we haven't got PBR active.
> Quoting Cliff Albert <cliff-nsp at oisec.net>:
>
> > On Mon, Sep 27, 2004 at 11:10:44AM +0200, Calle Lidstr?m wrote:
> >
> > > >>I have a BigIron 4000 running 07.7.01cT53 that the ACL's stops working
> > > >>on, it sounds a bit weird.. :-)
> > > >>
> > > >>When I apply the ACL f00-out, everything is working as expected but
> > > >>after ~10 hours 0/0 can connect to 10.1.1.2, any port/protocol.
> > > >>
> > > >>I need to re-apply the access-grup statement on the interface for the
> > > >>ACL to become "active" again.
> > > >>
> > > >>Have anyone seen this problem before?
> > > >
> > > >
> > > >No, but I have the problem of ACL's working in very odd behaviour. They
> > > >are very very very flacky if you apply them on virtual interfaces. I
> > > >know this goes trough CPU however the documentation says that it should
> > > >process it by CAM on 07.7.01 (which I'm also running on a BI4000).
> > > >
> > > >You did an ip rebind-acl all ?
> > >
> > > No, that's a new command for me. Though, I'll try that one next time I
> > > notice the problem.
> > >
> > > This behaviour is primarly on ve-interfaces.
> >
> > I also only have seen ACL issues on ve-interfaces. Also weird issues
> > where ACL's are matching packets that are actually on another vlan but
> > on the same physical interface because it has multiple VE's.
> >
> > I've been contacting my support engineer for this issue but they have
> > still not found the issue after more then 16 months now.
> >
> > BTW for good notice I'm using an HP9304 which actually is an relabeled
> > Foundry Big Iron 4K with a huge s/Foundry/HP/ over the firmware. It uses
> > EP blades (which is JetCore on Foundry).
--
Cliff Albert <cliff at oisec.net>
More information about the foundry-nsp
mailing list