Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4400
Views
0
Helpful
6
Replies

ASR1001 IOS XE 3.2.0S Reflexive Access Lists

Stefan Giera
Level 1
Level 1

‎07-28-2011 12:09 AM - edited ‎03-04-2019 01:06 PM

Hi there,

we bought some ASR 1001, because we need the reflexive ACL Feature.

Now we received and tested them, but although feature navigator say, that for IOS XE 3.2.0S reflexive ACLs are available,

I am not able to configure reflexive ACLs on the ASR: 

Router(config)#ip access-list extended test
Router(config-ext-nacl)#permit udp any any  ?
  dscp        Match packets with given dscp value
  eq          Match only packets on a given port number
  fragments   Check non-initial fragments
  gt          Match only packets with a greater port number
  log         Log matches against this entry
  log-input   Log matches against this entry, including input interface
  lt          Match only packets with a lower port number
  neq         Match only packets not on a given port number
  option      Match packets with given IP Options value
  precedence  Match packets with given precedence value
  range       Match only packets in the range of port numbers
  time-range  Specify a time-range
  tos         Match packets with given TOS value
  <cr>
Router(config-ext-nacl)#permit tcp any any  ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  match-all    Match if all specified flags are present
  match-any    Match if any specified flag is present
  neq          Match only packets not on a given port number
  option       Match packets with given IP Options value
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  <cr>

Is this an error on the Feature Navigator or am I too stupid to configure this?

Thanks for any answers ;-)

Here is what "sh ver" says on the router:

Router#sh ver
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.1(1)S, RELEASE SOFTWARE (fc1)
License Package Information for Module:'asr1001'
ROM: IOS-XE ROMMON
Router uptime is 20 hours, 2 minutes
Uptime for this control processor is 20 hours, 3 minutes
System returned to ROM by reload at 04:33:34 UTC Sun Jul 17 2011
System image file is "bootflash:asr1001-universal.03.02.00.S.151-1.S.bin"
Last reload reason: PowerOn
Module name   Image level          Priority   Configured   Valid license       
asr1001       adventerprise        1          NO           adventerprise       
              advipservices        2          NO           advipservices       
              ipbase               3          NO           ipbase              
Current License Level: ipbase
cisco ASR1001 (1RU) processor with 1217912K/6147K bytes of memory.
4 Gigabit Ethernet interfaces
1 Ten Gigabit Ethernet interface
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7782399K bytes of eUSB flash at bootflash:.
Configuration register is 0x2102
1 person had this problem
Labels:
0 Helpful
6 Replies 6

Rozsa Illes
Cisco Employee
Cisco Employee

‎07-28-2011 03:55 AM

Hello Stefan,

I find it strange that the feature is listed only for ASR1001 and not for the other ASR models. I would expect this feature to be model independent so I would not be surprised if it was a mistake in feature navigator.

However, what you could try to do is to enable adventerprise or advipservices feature set. According to the show version, the current license level is ipbase.

Did you consider using ZFB? If you need to dynamically filter incoming packets based on the outbound connection, the firewall configuration would achieve this too.

Warm Regards,

Rose

0 Helpful

Stefan Giera
Level 1
Level 1
In response to Rozsa Illes

‎07-28-2011 04:19 AM

Hi Rose, 

I find it strange that the feature is listed only for ASR1001 and not  for the other ASR models. I would expect this feature to be model  independent so I would not be surprised if it was a mistake in feature  navigator.

that is strange for me, too - because we already have some ASR1002 in use and therefore knew that they cannot handle reflexive ACLs. We wrote a few emails to our local dealer and he confirmed, that the feature is available. But he only looked in the Feature Navigator... 

However, what you could try to do is to enable adventerprise or  advipservices feature set. According to the show version, the current  license level is ipbase.

I changed that also a few times this morning (im configuration mode: "

license boot module asr1001 group all level adventerprise etc... "), but it had unfortunately no effect...

Did you consider using ZFB? If you need to dynamically filter  incoming packets based on the outbound connection, the firewall  configuration would achieve this too.

That's what, ZFB? Is it the Firewall Feature with ip inspect? Yes, that is basically what I want to do here.

But therefore I need the firewall license, correct?

Thanks for Your help and kind regards,

Stefan

0 Helpful

Rozsa Illes
Cisco Employee
Cisco Employee
In response to Stefan Giera

‎07-28-2011 05:06 AM

Hello Stefan,

Yes, ZBF is zone based firewall. I guess you would find this pretty quickly too but here is some information about the configuration:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html

Unfortunately, it will indeed need the security feature set at least.

About reflexive ACLs, I was trying to check further because of the discrepancies and the internal discussions I found indicate that it would not be supported. The reasoning was that ZBF would do the same and it should also be more flexible than reflexive ACLs.

Warm Regards,

Rose

0 Helpful

Stefan Giera
Level 1
Level 1
In response to Rozsa Illes

‎07-28-2011 07:16 AM

Hello Rose,

thanks for Your answer.

I think we will purchase the Firewall Feature set for filtering dynamically the incoming packets.

How can I inform Cisco about the wrong entry in the Feature Navi ?

Kind regards,

Stefan

0 Helpful

Rozsa Illes
Cisco Employee
Cisco Employee
In response to Stefan Giera

‎07-28-2011 07:27 AM

Hello Stefan,

I think via the Feedback button on the Feature Navigator. I sent a note via this option to the team watching the tool too.

Warm Regards,

Rose

0 Helpful

swj
Cisco Employee
Cisco Employee

‎08-16-2019 09:08 PM

There is ENH for this 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn75709/?reffering_site=dumpcr

 

Hope this helps. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card