Hi there,
I have the following issue with my HP Procurve 9304m (which is a Foundry
BigIron 4K) running 07.7.01bT53.
The problem is as following:
The foundry reports a lot of ACL hits (see logfile) on my access-list kpn-in,
however the traffic it matches is not on the specific VE interface. The kpn-in
acl is bonded to ve 38, however the mac address that violates the acl is on ve20.
Also all ACL's are handled by CPU, but as this is a jetcore setup with a recent
software it should handle the ACL's in hardware. I know the flow-mode command is
responsible for it, but without it, it looks like it applies on the physical
interface.
I have ip auto-acl-rebind active.
Anyone got any ideas on why this is happening, because HP Support is very unhelpful.
--- Configuration and Logging Below ---
vlan 20 name VLAN_AMSIX by port
tagged ethe 1/2
router-interface ve 20
vlan 38 name VLAN_KPN by port
tagged ethe 1/2
router-interface ve 38
interface ve 38
port-name KPN Eurorings
ip access-group flow-mode
ip access-group kpn-in in
ip address 134.222.97.230/30
no ip redirect
telnet@ams-br01>sh arp mac-address 0005.8501.9400
IP Address MAC Address Type Age Port
1 195.69.144.72 0005.8501.9400 Dynamic 0 1/2
telnet@ams-br01>sh mac 0005.8501.9400
Total active entries from all ports = 243
Type D:Dynamic S:Static L:Lock Address M:Secure Mac
MAC Address Port Age Type DMA Valid Flags VLAN DMA:CAM Index ...
0005.8501.9400 1/2 7 D 00000000-00000001 20 0:33000
CAM Entry Flag: 0000000100000000H
CIDX0: 33000[hw 16616 | 0x040e8]
Hex dump:
0000: 00 05 85 01 94 00 01 40 01 00 00 00 00 50 00 01 | .......@.....P..
0010: 00 07 00 00 00 01 00 00 00 00 00 00 00 00 00 00 | ................
0020: 00 00 ff ff 00 00 80 e8 00 00 00 00 00 00 ff 00 | ................
0030: 00 00 00 00 | ....
Flags: home_cam_ready
ACL kpn-in:
deny ip 192.168.0.0/16 any (Flows: 101343, Packets: 1998, Rule cams
used: N/A)
deny ip 172.16.0.0/12 any (Flows: 75688, Packets: 2250, Rule cams used:
N/A)
deny ip 10.0.0.0/8 any (Flows: 62332, Packets: 3923, Rule cams used:
N/A)
deny ip 127.0.0.0/8 any (Flows: 31254, Packets: N/A, Rule cams used:
N/A)
deny ip any host 62.133.194.24 (Flows: 20650, Packets: 1392, Rule cams
used: N/A)
permit ip any 62.133.192.0/18 (Flows: 316674080, Packets: N/A, Rule cams
used: N/A)
permit ip any 134.222.97.228/30 (Flows: 63638, Packets: N/A, Rule cams
used: N/A)
deny ip any any log (Flows: 5367348, Packets: 6275067, Rule cams used:
N/A)
ACL Logging:
Oct 16 14:59:20:W:list kpn-in denied tcp 80.242.8.140(1283)(Ethernet 1/2
0005.8501.9400) -> 80.242.111.48(20168), 1 event(s)
Oct 16 14:59:20:W:list kpn-in denied tcp 80.242.8.140(1274)(Ethernet 1/2
0005.8501.9400) -> 80.242.111.40(20168), 1 event(s)
Oct 16 14:59:20:W:list kpn-in denied tcp 80.242.8.140(1269)(Ethernet 1/2
0005.8501.9400) -> 80.242.111.35(20168), 1 event(s)
--
Cliff Albert <cliff@oisec.net>
I have the following issue with my HP Procurve 9304m (which is a Foundry
BigIron 4K) running 07.7.01bT53.
The problem is as following:
The foundry reports a lot of ACL hits (see logfile) on my access-list kpn-in,
however the traffic it matches is not on the specific VE interface. The kpn-in
acl is bonded to ve 38, however the mac address that violates the acl is on ve20.
Also all ACL's are handled by CPU, but as this is a jetcore setup with a recent
software it should handle the ACL's in hardware. I know the flow-mode command is
responsible for it, but without it, it looks like it applies on the physical
interface.
I have ip auto-acl-rebind active.
Anyone got any ideas on why this is happening, because HP Support is very unhelpful.
--- Configuration and Logging Below ---
vlan 20 name VLAN_AMSIX by port
tagged ethe 1/2
router-interface ve 20
vlan 38 name VLAN_KPN by port
tagged ethe 1/2
router-interface ve 38
interface ve 38
port-name KPN Eurorings
ip access-group flow-mode
ip access-group kpn-in in
ip address 134.222.97.230/30
no ip redirect
telnet@ams-br01>sh arp mac-address 0005.8501.9400
IP Address MAC Address Type Age Port
1 195.69.144.72 0005.8501.9400 Dynamic 0 1/2
telnet@ams-br01>sh mac 0005.8501.9400
Total active entries from all ports = 243
Type D:Dynamic S:Static L:Lock Address M:Secure Mac
MAC Address Port Age Type DMA Valid Flags VLAN DMA:CAM Index ...
0005.8501.9400 1/2 7 D 00000000-00000001 20 0:33000
CAM Entry Flag: 0000000100000000H
CIDX0: 33000[hw 16616 | 0x040e8]
Hex dump:
0000: 00 05 85 01 94 00 01 40 01 00 00 00 00 50 00 01 | .......@.....P..
0010: 00 07 00 00 00 01 00 00 00 00 00 00 00 00 00 00 | ................
0020: 00 00 ff ff 00 00 80 e8 00 00 00 00 00 00 ff 00 | ................
0030: 00 00 00 00 | ....
Flags: home_cam_ready
ACL kpn-in:
deny ip 192.168.0.0/16 any (Flows: 101343, Packets: 1998, Rule cams
used: N/A)
deny ip 172.16.0.0/12 any (Flows: 75688, Packets: 2250, Rule cams used:
N/A)
deny ip 10.0.0.0/8 any (Flows: 62332, Packets: 3923, Rule cams used:
N/A)
deny ip 127.0.0.0/8 any (Flows: 31254, Packets: N/A, Rule cams used:
N/A)
deny ip any host 62.133.194.24 (Flows: 20650, Packets: 1392, Rule cams
used: N/A)
permit ip any 62.133.192.0/18 (Flows: 316674080, Packets: N/A, Rule cams
used: N/A)
permit ip any 134.222.97.228/30 (Flows: 63638, Packets: N/A, Rule cams
used: N/A)
deny ip any any log (Flows: 5367348, Packets: 6275067, Rule cams used:
N/A)
ACL Logging:
Oct 16 14:59:20:W:list kpn-in denied tcp 80.242.8.140(1283)(Ethernet 1/2
0005.8501.9400) -> 80.242.111.48(20168), 1 event(s)
Oct 16 14:59:20:W:list kpn-in denied tcp 80.242.8.140(1274)(Ethernet 1/2
0005.8501.9400) -> 80.242.111.40(20168), 1 event(s)
Oct 16 14:59:20:W:list kpn-in denied tcp 80.242.8.140(1269)(Ethernet 1/2
0005.8501.9400) -> 80.242.111.35(20168), 1 event(s)
--
Cliff Albert <cliff@oisec.net>