Mailing List Archive: ACL's doesnt work

ACL's doesnt work

Sep 27, 2004, 4:12 AM

Post #1 of 6 (1856 views)

Hi,

I have a BigIron 4000 running 07.7.01cT53 that the ACL's stops working
on, it sounds a bit weird.. :-)

When I apply the ACL f00-out, everything is working as expected but
after ~10 hours 0/0 can connect to 10.1.1.2, any port/protocol.

I need to re-apply the access-grup statement on the interface for the
ACL to become "active" again.

Have anyone seen this problem before?

!
interface ethernet 1/2
port-name m00-f00
route-only
ip access-group f00-out out
ip address 10.1.1.1 255.255.255.252
!

ip access-list extended f00-out
permit tcp host 10.2.1.1 host 10.1.1.2 eq 26
deny ip any any

Calle
--
Calle Lidstr?m <calle@swip.net>
CDBF CE81 EC99 BB2B 2E2A 7643 EEC1 0F3A 75E9 0D2C

ACL's doesnt work [ In reply to ]

cliff-nsp at oisec

Sep 27, 2004, 4:36 AM

Post #2 of 6 (1817 views)

On Mon, Sep 27, 2004 at 10:12:31AM +0200, Calle Lidstr?m wrote:

> I have a BigIron 4000 running 07.7.01cT53 that the ACL's stops working
> on, it sounds a bit weird.. :-)
>
> When I apply the ACL f00-out, everything is working as expected but
> after ~10 hours 0/0 can connect to 10.1.1.2, any port/protocol.
>
> I need to re-apply the access-grup statement on the interface for the
> ACL to become "active" again.
>
> Have anyone seen this problem before?

No, but I have the problem of ACL's working in very odd behaviour. They
are very very very flacky if you apply them on virtual interfaces. I
know this goes trough CPU however the documentation says that it should
process it by CAM on 07.7.01 (which I'm also running on a BI4000).

You did an ip rebind-acl all ?

> !
> interface ethernet 1/2
> port-name m00-f00
> route-only
> ip access-group f00-out out
> ip address 10.1.1.1 255.255.255.252
> !
>
> ip access-list extended f00-out
> permit tcp host 10.2.1.1 host 10.1.1.2 eq 26
> deny ip any any

--
Cliff Albert <cliff@oisec.net>

ACL's doesnt work [ In reply to ]

Sep 27, 2004, 5:10 AM

Post #3 of 6 (1828 views)

Cliff Albert wrote:

> On Mon, Sep 27, 2004 at 10:12:31AM +0200, Calle Lidstr?m wrote:
>
>
>>I have a BigIron 4000 running 07.7.01cT53 that the ACL's stops working
>>on, it sounds a bit weird.. :-)
>>
>>When I apply the ACL f00-out, everything is working as expected but
>>after ~10 hours 0/0 can connect to 10.1.1.2, any port/protocol.
>>
>>I need to re-apply the access-grup statement on the interface for the
>>ACL to become "active" again.
>>
>>Have anyone seen this problem before?
>
>
> No, but I have the problem of ACL's working in very odd behaviour. They
> are very very very flacky if you apply them on virtual interfaces. I
> know this goes trough CPU however the documentation says that it should
> process it by CAM on 07.7.01 (which I'm also running on a BI4000).
>
> You did an ip rebind-acl all ?
>
>

No, that's a new command for me. Though, I'll try that one next time I
notice the problem.

This behaviour is primarly on ve-interfaces.

/calle
--
Calle Lidstr?m <calle@swip.net>
CDBF CE81 EC99 BB2B 2E2A 7643 EEC1 0F3A 75E9 0D2C

ACL's doesnt work [ In reply to ]

cliff-nsp at oisec

Sep 27, 2004, 5:14 AM

Post #4 of 6 (1819 views)

On Mon, Sep 27, 2004 at 11:10:44AM +0200, Calle Lidstr?m wrote:

> >>I have a BigIron 4000 running 07.7.01cT53 that the ACL's stops working
> >>on, it sounds a bit weird.. :-)
> >>
> >>When I apply the ACL f00-out, everything is working as expected but
> >>after ~10 hours 0/0 can connect to 10.1.1.2, any port/protocol.
> >>
> >>I need to re-apply the access-grup statement on the interface for the
> >>ACL to become "active" again.
> >>
> >>Have anyone seen this problem before?
> >
> >
> >No, but I have the problem of ACL's working in very odd behaviour. They
> >are very very very flacky if you apply them on virtual interfaces. I
> >know this goes trough CPU however the documentation says that it should
> >process it by CAM on 07.7.01 (which I'm also running on a BI4000).
> >
> >You did an ip rebind-acl all ?
>
> No, that's a new command for me. Though, I'll try that one next time I
> notice the problem.
>
> This behaviour is primarly on ve-interfaces.

I also only have seen ACL issues on ve-interfaces. Also weird issues
where ACL's are matching packets that are actually on another vlan but
on the same physical interface because it has multiple VE's.

I've been contacting my support engineer for this issue but they have
still not found the issue after more then 16 months now.

BTW for good notice I'm using an HP9304 which actually is an relabeled
Foundry Big Iron 4K with a huge s/Foundry/HP/ over the firmware. It uses
EP blades (which is JetCore on Foundry).

--
Cliff Albert <cliff@oisec.net>

ACL's doesnt work [ In reply to ]

foundry-nsp at well-duh

Sep 27, 2004, 2:30 PM

Post #5 of 6 (1821 views)

Are you running any sort of PBR, by any chance?

Tine

Quoting Cliff Albert <cliff-nsp@oisec.net>:

> On Mon, Sep 27, 2004 at 11:10:44AM +0200, Calle Lidstr?m wrote:
>
> > >>I have a BigIron 4000 running 07.7.01cT53 that the ACL's stops working
> > >>on, it sounds a bit weird.. :-)
> > >>
> > >>When I apply the ACL f00-out, everything is working as expected but
> > >>after ~10 hours 0/0 can connect to 10.1.1.2, any port/protocol.
> > >>
> > >>I need to re-apply the access-grup statement on the interface for the
> > >>ACL to become "active" again.
> > >>
> > >>Have anyone seen this problem before?
> > >
> > >
> > >No, but I have the problem of ACL's working in very odd behaviour. They
> > >are very very very flacky if you apply them on virtual interfaces. I
> > >know this goes trough CPU however the documentation says that it should
> > >process it by CAM on 07.7.01 (which I'm also running on a BI4000).
> > >
> > >You did an ip rebind-acl all ?
> >
> > No, that's a new command for me. Though, I'll try that one next time I
> > notice the problem.
> >
> > This behaviour is primarly on ve-interfaces.
>
> I also only have seen ACL issues on ve-interfaces. Also weird issues
> where ACL's are matching packets that are actually on another vlan but
> on the same physical interface because it has multiple VE's.
>
> I've been contacting my support engineer for this issue but they have
> still not found the issue after more then 16 months now.
>
> BTW for good notice I'm using an HP9304 which actually is an relabeled
> Foundry Big Iron 4K with a huge s/Foundry/HP/ over the firmware. It uses
> EP blades (which is JetCore on Foundry).
>
> --
> Cliff Albert <cliff@oisec.net>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

ACL's doesnt work [ In reply to ]

cliff-nsp at oisec

Sep 27, 2004, 2:49 PM

Post #6 of 6 (1813 views)

On Mon, Sep 27, 2004 at 11:30:04AM -0700, Tine Hutchison wrote:

> Are you running any sort of PBR, by any chance?

No, we haven't got PBR active.

> Quoting Cliff Albert <cliff-nsp@oisec.net>:
>
> > On Mon, Sep 27, 2004 at 11:10:44AM +0200, Calle Lidstr?m wrote:
> >
> > > >>I have a BigIron 4000 running 07.7.01cT53 that the ACL's stops working
> > > >>on, it sounds a bit weird.. :-)
> > > >>
> > > >>When I apply the ACL f00-out, everything is working as expected but
> > > >>after ~10 hours 0/0 can connect to 10.1.1.2, any port/protocol.
> > > >>
> > > >>I need to re-apply the access-grup statement on the interface for the
> > > >>ACL to become "active" again.
> > > >>
> > > >>Have anyone seen this problem before?
> > > >
> > > >
> > > >No, but I have the problem of ACL's working in very odd behaviour. They
> > > >are very very very flacky if you apply them on virtual interfaces. I
> > > >know this goes trough CPU however the documentation says that it should
> > > >process it by CAM on 07.7.01 (which I'm also running on a BI4000).
> > > >
> > > >You did an ip rebind-acl all ?
> > >
> > > No, that's a new command for me. Though, I'll try that one next time I
> > > notice the problem.
> > >
> > > This behaviour is primarly on ve-interfaces.
> >
> > I also only have seen ACL issues on ve-interfaces. Also weird issues
> > where ACL's are matching packets that are actually on another vlan but
> > on the same physical interface because it has multiple VE's.
> >
> > I've been contacting my support engineer for this issue but they have
> > still not found the issue after more then 16 months now.
> >
> > BTW for good notice I'm using an HP9304 which actually is an relabeled
> > Foundry Big Iron 4K with a huge s/Foundry/HP/ over the firmware. It uses
> > EP blades (which is JetCore on Foundry).

--
Cliff Albert <cliff@oisec.net>