Catalyst 2950 Storm-Control and IP Access-Group Error

christianlang · ‎03-24-2005

Hi,

We have some Catalyst 2950T with IOS 12.1(20). We were experiencing problems with Broadcast Storm-Control combined with an assigned IP-ACL on the same interface.

When there was no IP-ACL on the fe-Interface the Broadcast Storm-Control limited the rate of Packets correctly. With an IP-ACL assigned to the Interface the Switch still reported "blocking" in the "show storm-control" command but all packets came through - none was dropped.

This behavior was verified with multiple Switches and multiple Software-Releases.

Has somebody experienced the same problem? I have studied the C2950 Release Notes but I couldn't find any hint about that ...

Thank you very much and best regards,

Georg Pauwen · ‎03-25-2005

Hello Christian,

interesting...can you post your configuration (the one with the access list applied) ?

Regards,

GP

christianlang · ‎03-25-2005

Hi,

Thank you for your reply:

This is the configuration with ip acl applied:

interface FastEthernet0/3

description USER

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

no ip address

ip access-group 101 in

no logging event link-status

service-policy input pmap-udp

storm-control broadcast level 0.01

storm-control multicast level 0.01

spanning-tree portfast

ip dhcp snooping limit rate 20

!

The ACL was:

access-list 101 deny udp any any eq netbios-ns

access-list 101 deny udp any any eq netbios-dgm

access-list 101 deny tcp any any eq 139

access-list 101 deny tcp any any eq 445

access-list 101 permit ip any any

and this is the working Configuration without the IP-ACL:

interface FastEthernet0/3

description USER

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

service-policy input pmap-udp

storm-control broadcast level 0.01

storm-control multicast level 0.01

spanning-tree portfast

ip dhcp snooping limit rate 20

!

(the "switchport port-security aging type inactivity" was added afterwords and had no effect on the problem);

Thank you!

Georg Pauwen · ‎03-25-2005

Hello,

for some reason the access list is overriding the storm control settings...can you add the ´log´ keyword to your ´permit ip any any´ statement and check what the access list actually allows through, that is, if there are broadcast or multicast packets allowed and where they come from ?

Regards,

GP

christianlang · ‎04-01-2005

Hello,

Sorry for the late answer:

I am sorry but i couldn't get any further information because the log keyword seems not to be supported here:

%Error: Access-list with 'log' keyword is not supported on Ethernet Interface.

We tried this behavior now with the latest ED-Release 12.1.22EA4 on the C2950T - it is still the same behavior ...

Here is the Access-List tested with:

access-list 101 deny udp any any eq netbios-ns

access-list 101 deny udp any any eq netbios-dgm

access-list 101 deny tcp any any eq 139

access-list 101 deny tcp any any eq 445

access-list 101 permit ip any any

and here the IF Config:

interface FastEthernet0/18

description USER

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

ip access-group 101 in

no logging event link-status

service-policy input pmap-udp

storm-control broadcast level 0.01

storm-control multicast level 0.01

spanning-tree portfast

ip dhcp snooping limit rate 20

!

Thank you and best regards,

Christian

christianlang · ‎04-01-2005

Something we tried in addition:

The problem also exists with a simple "permit ip any any"ACL oder "permit udp any any" ...

christianlang · ‎04-29-2005

Is there any chance to report a Bug to Cisco Systems without having a support-contract?

Thank you & best regards,