11-06-2008 12:56 PM - edited 03-04-2019 12:13 AM
I am looking for days already why this config does not work. I even don't get any debug message out of it. The problem is that it seems that the router passes all traffic, regarding access-lists or whatever. It's just like if both Ethrnet ports on the router are a hub or switch, the router engine is just being ignored.
Quit the same config runs fine on 12.4 router, but I can't get it to work on 12.3 Is there something special I forgot?
Greets!
Mark.
11-06-2008 01:23 PM
Mark
You are right that your access lists are being ignored. And the reason is that you have applied them to the physical interfaces (FastE0/0 and FastE0/1) but they have no IP address and therefore are not processing IP and can not process the access list. You need to move the access lists to the BVI interface which is where the IP processing for these interfaces takes place.
I will also note that it seems very strange to me to be using IRB and to bridge together the interfaces whose comments indicate that they are the DMZ and the Internet. Why are you bridging between the DMZ and the Internet?
HTH
Rick
11-06-2008 02:22 PM
Hi Rick,
Tnx for your reply. I would like to believe you, but the example is from the Cisco website at http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_trans.html
Half way is a complete script setup with an access-group on a physical Ethernet interface.
But I tried your suggestion, without result...
I have also issue a debug all for a short while, and this is what I see:
SNMP: HC Timer 82C3EC48 fired
*Mar 1 06:20:50.826: SNMP: HC Timer 82C3EC48 rearmed, delay = 20000
*Mar 1 06:20:51.138: SNMP: HC Timer 82C49DBC fired
*Mar 1 06:20:51.138: SNMP: HC Timer 82C49DBC rearmed, delay = 5000
*Mar 1 06:20:51.286: STP: opt: Bridge group 10: get ports: no free chunk availa
ble
*Mar 1 06:20:53.286: STP: opt: Bridge group 10: get ports: no free chunk availa
ble
*Mar 1 06:20:55.286: STP: opt: Bridge group 10: get ports: no free chunk availa
ble
*Mar 1 06:20:56.138: SNMP: HC Timer 82C49DBC fired
*Mar 1 06:20:56.138: SNMP: HC Timer 82C49DBC rearmed, delay = 5000
*Mar 1 06:20:57.286: STP: opt: Bridge group 10: get ports: no free chunk availa
ble
rokscom-brfw01#no
*Mar 1 06:20:58.378:
*Mar 1 06:20:58.378: Rudpv1 Sent: Pkts 0, Data Bytes 0, Data Pkts 0
*Mar 1 06:20:58.378: Rudpv1 Rcvd: Pkts 0, Data Bytes 0, Data Pkts 0
*Mar 1 06:20:58.378: Rudpv1 Discarded: 0, Retransmitted 0
*Mar 1 06:20:58.378:
*Mar 1 06:20:59.286: STP: opt: Bridge group 10: get ports: no free chunk availa
ble
*Mar 1 06:20:59.358: CBAC FUNC: inspect_timers
*Mar 1 06:20:59.358: CBAC FUNC: insp_sample_session_rate debug all
All possible debugging has been turned off
rokscom-brfw01#
*Mar 1 06:21:01.138: SNMP: HC Timer 82C49DBC fired
*Mar 1 06:21:01.138: SNMP: HC Timer 82C49DBC rearmed, delay = 5000
*Mar 1 06:21:01.286: STP: opt: Bridge group 10: get ports: no free chunk availa
ble
rokscom-brfw01#
It keeps saying no chunk available.
Can you tell me what you mean with bridge irb > it's also from the example and I am bridging between Internet and DMZ with a number of access-lists... (at least I am trying :-)
Greets,
Mark.
11-06-2008 02:46 PM
Please also mind this debug:
rokscom-brfw01#debug all
This may severely impact network performance. Continue? (yes/[no]): yes
All possible debugging has been turned on
rokscom-brfw01#
*Mar 1 00:03:25.275: SNMP: HC Timer 82C2DD3C fired
*Mar 1 00:03:25.275: SNMP: HC Timer 82C2DD3C rearmed, delay = 5000
*Mar 1 00:03:26.275: STP: opt: Bridge group 10: get ports: no free chunk availa
ble
*Mar 1 00:03:26.435:
*Mar 1 00:03:26.435: Rudpv1 Sent: Pkts 0, Data Bytes 0, Data Pkts 0
*Mar 1 00:03:26.435: Rudpv1 Rcvd: Pkts 0, Data Bytes 0, Data Pkts 0
*Mar 1 00:03:26.439: Rudpv1 Discarded: 0, Retransmitted 0
*Mar 1 00:03:26.439:
*Mar 1 00:03:27.911: CDP-PA: Packet received from dmz2lan on interface FastEthe
rnet0/1
*Mar 1 00:03:27.911: **Entry found in cache**
*Mar 1 00:03:27.931: CDP-IP: IP TLV length (5) invalid for default route.
Expecting default route from hub router
*Mar 1 00:03:28.119: CDP-IP: Writing prefix 217.166.55.96/27
*Mar 1 00:03:28.119: CDP-PA: version 2 packet sent out on FastEthernet0/0
*Mar 1 00:03:28.123: CDP-IP: Writing prefix 217.166.55.96/27
*Mar 1 00:03:28.123: CDP-PA: version 2 packet sent out on FastEthernet0/1
*Mar 1 00:03:28.275: STP: opt: Bridge group 10: get ports: no free chunk availa
ble
*Mar 1 00:03:28.823: IRB-CEF: LE vector failed on BVI10, enqueued to IP queue
>> Expecting default route from hub router....
Greets,
Mark.
11-06-2008 08:05 PM
Mark
The documentation in the link you posted does show access list and ip inspect on the physical interfaces which have no ip addresses. In my experience if you attempt to do something like an ip access list on an interface that did not have an ip address it would not work. There must be something special in the code for transparent firewall (or perhaps it is associated with the bridge-group on the interface) that allows the access list to function.
I am not clear what the error messages indicate. no free chunk sounds to me like a problem with memory. Perhaps it is time to think about opening a case with Cisco TAC.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide