Different behavior for access-list between my 2811 w/ 12.4 and 2911 w/ 15.1

ekleinbussink · ‎08-21-2011

Hi!

Looking for advice on what I am missing..

I have recently purchased 2911 routers running 15.1 to replicate a system I had implemented using 2811 routers running 12.4 a few years ago. None of my applications and servers have changed, but trying to determine why my router access-list on my serial links are not behaving the same. I dont keep up with Cisco changes, so hoping someone can give me a hint.

On my original system, which is a private network that distributes alot of udp broadcast and multicast data to remote sites over 64k serial lines, I manage some of the udp broadcast data using access-lists. When I check on my 2811-based system, "show ip access-list" shows a nice distribution of filter hits showing my expected deny/permit access-list entries working as expected allowing me to filter the particular udp broadcast ports of interest on the various serial interfaces.

On my 2911 based system, with most other elements the same, the access-list is not working correctly, and I see data getting through the access control to the other side of the serial link. Using tcpdump and other tools on the remote systems my routers attach to, it looks like the access control is basically ignored... though if I "shutdown / no shutdown" the serial link between the routers, it definitely stops and restarts the flow of data, so I know data is travelling over that interface... when I run "show ip access-list" on the 2911, I see tons of hits on one deny filter, and the last "ip permit any any" filter, but other deny udp any any eq XXX port filters are simply not registering denies.. which should be triggering since I see my server sending the data, and my client systems receiving the extra data I am supposed to be filtering on the router...

Is there potentially a new feature or command set option that I am missing to correctly filter outbound data from my serial links?

On 2811 w/ an HWIC 4A/S

int s0/0/0

ip access-group sample1 out

...

!

ip access-list extended sample1

deny udp any any eq 45000

deny udp any any eq 45001

deny udp any any eq 45002

...

permit ip any any

!

On my 2911 w/ an HWIC 4A/S

same setup.

lgijssel · ‎08-22-2011

Since you are mentioning the forwarding of udp broadcasts, there may be a relation to the way this was configured on the two routers using the command: ip forward-protocol {udp [port] | nd | sdns}

The command is described here:

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i1g.html#wp1108053

Using the no-form of the command, it is possible to allow or filter particular types of udp traffic.

The defaults are quite generous and may differ between the platforms.

Please check this.

regrards,

Leo

ekleinbussink · ‎08-22-2011

Yes, I do generate most of my broadcast udp with "ip helper-address" and use "ip forward-protocol". I have been researching this myself also, and I think it may have to do with a new feature in 15.x called "ip access-list helper egress check", which looks like it would match two things I have seen..

1) Only UDP broadcast being filtered right now is not being generated from my "ip helper-address" / ip forward-protocol statements..

2) Description of "helper egress check" in cisco command reference says "Enables permit or deny matching capability for an outbound access list that is applied to an interface, for traffic that is relayed via the IP helper feature to a destination server address"

I would try the command, but I cant figure out the context to use the command that is acceptable to the router..

My router is running 15.1(3)T.. should this version have the "helper egress check" option?