07-28-2011 12:09 AM - edited 03-04-2019 01:06 PM
Hi there,
we bought some ASR 1001, because we need the reflexive ACL Feature.
Now we received and tested them, but although feature navigator say, that for IOS XE 3.2.0S reflexive ACLs are available,
I am not able to configure reflexive ACLs on the ASR:
Router(config)#ip access-list extended test
Router(config-ext-nacl)#permit udp any any ?
dscp Match packets with given dscp value
eq Match only packets on a given port number
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
option Match packets with given IP Options value
precedence Match packets with given precedence value
range Match only packets in the range of port numbers
time-range Specify a time-range
tos Match packets with given TOS value
<cr>
Router(config-ext-nacl)#permit tcp any any ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
match-all Match if all specified flags are present
match-any Match if any specified flag is present
neq Match only packets not on a given port number
option Match packets with given IP Options value
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
Is this an error on the Feature Navigator or am I too stupid to configure this?
Thanks for any answers ;-)
Here is what "sh ver" says on the router:
Router#sh ver
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.1(1)S, RELEASE SOFTWARE (fc1)
License Package Information for Module:'asr1001'
ROM: IOS-XE ROMMON
Router uptime is 20 hours, 2 minutes
Uptime for this control processor is 20 hours, 3 minutes
System returned to ROM by reload at 04:33:34 UTC Sun Jul 17 2011
System image file is "bootflash:asr1001-universal.03.02.00.S.151-1.S.bin"
Last reload reason: PowerOn
Module name Image level Priority Configured Valid license
asr1001 adventerprise 1 NO adventerprise
advipservices 2 NO advipservices
ipbase 3 NO ipbase
Current License Level: ipbase
cisco ASR1001 (1RU) processor with 1217912K/6147K bytes of memory.
4 Gigabit Ethernet interfaces
1 Ten Gigabit Ethernet interface
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
7782399K bytes of eUSB flash at bootflash:.
Configuration register is 0x2102
07-28-2011 03:55 AM
Hello Stefan,
I find it strange that the feature is listed only for ASR1001 and not for the other ASR models. I would expect this feature to be model independent so I would not be surprised if it was a mistake in feature navigator.
However, what you could try to do is to enable adventerprise or advipservices feature set. According to the show version, the current license level is ipbase.
Did you consider using ZFB? If you need to dynamically filter incoming packets based on the outbound connection, the firewall configuration would achieve this too.
Warm Regards,
Rose
07-28-2011 04:19 AM
Hi Rose,
I find it strange that the feature is listed only for ASR1001 and not for the other ASR models. I would expect this feature to be model independent so I would not be surprised if it was a mistake in feature navigator.
that is strange for me, too - because we already have some ASR1002 in use and therefore knew that they cannot handle reflexive ACLs. We wrote a few emails to our local dealer and he confirmed, that the feature is available. But he only looked in the Feature Navigator...
However, what you could try to do is to enable adventerprise or advipservices feature set. According to the show version, the current license level is ipbase.
I changed that also a few times this morning (im configuration mode: "
license boot module asr1001 group all level adventerprise etc... "), but it had unfortunately no effect...
Did you consider using ZFB? If you need to dynamically filter incoming packets based on the outbound connection, the firewall configuration would achieve this too.
That's what, ZFB? Is it the Firewall Feature with ip inspect? Yes, that is basically what I want to do here.
But therefore I need the firewall license, correct?
Thanks for Your help and kind regards,
Stefan
07-28-2011 05:06 AM
Hello Stefan,
Yes, ZBF is zone based firewall. I guess you would find this pretty quickly too but here is some information about the configuration:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html
Unfortunately, it will indeed need the security feature set at least.
About reflexive ACLs, I was trying to check further because of the discrepancies and the internal discussions I found indicate that it would not be supported. The reasoning was that ZBF would do the same and it should also be more flexible than reflexive ACLs.
Warm Regards,
Rose
07-28-2011 07:16 AM
Hello Rose,
thanks for Your answer.
I think we will purchase the Firewall Feature set for filtering dynamically the incoming packets.
How can I inform Cisco about the wrong entry in the Feature Navi ?
Kind regards,
Stefan
07-28-2011 07:27 AM
Hello Stefan,
I think via the Feedback button on the Feature Navigator. I sent a note via this option to the team watching the tool too.
Warm Regards,
Rose
08-16-2019 09:08 PM
There is ENH for this
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn75709/?reffering_site=dumpcr
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide