01-25-2013 11:34 AM - edited 03-07-2019 11:18 AM
Hi All,
I have come across a possible bug with ACL processing on the 6500 with the VS-S720-10G-3CXL (in VSS mode) running 12.2(33)SXI2a.
In this example access list:
ip access-list extended VLAN42_OUT
permit tcp any any established
permit udp 10.0.0.0 0.0.0.255 any eq tftp
permit tcp 10.0.0.0 0.0.0.255 any eq 2049
permit tcp 10.0.0.0 0.0.0.255 any eq sunrpc
permit udp 10.0.0.0 0.0.0.255 any gt 1023
deny ip any any log-input
!
Traffic from 10.0.0.1 to a host on the vlan42 (where the ACL is attached)
TCP return traffic is fine.
tcp port 2049 is fine
rpc is fine
UDP > 1023 is fine
but UDP to port 69 is blocked despite the explicit permit.
tcpdump on the sending host shows the ICMP admin-denied from the switch for packets sent to destination UDP 69.
If I change that line of permit to permit udp 10.0.0.0 0.0.0.255 any (without specifying ports), then UDP 69 (and anything else) works fine.
If I set permit udp 10.0.0.0 0.0.0.255 any eq tftp log-input , then nothing is seen in the log for the ACL.
Nothing is seen in either case for the logs for this specific traffic in the logs (associated with the deny ip any any log-input).
If I remove the permit ... tftp line entirely, then I see the blocked packets denied in the log.
Basically it appears that the cisco is DENYING the traffic UDP to port 69, even though it's explictly permitted (and near the top of the ACL), but it is not denying the other similar rules (such as UDP > 1023).
Smells like a bug to me.
(yes, I am aware that tftp uses separate pseudo-random ports for the data transfer, but that's beside the issue at this point...)
Anyone else seen this behaviour ?
Thanks,
Leland
01-25-2013 12:08 PM
Hi
u r permitting tcp not udp
Sent from Cisco Technical Support iPhone App
01-25-2013 12:12 PM
erm.. no.. the acl says "permit udp 10.0.0.0 0.0.0.255 any eq tftp" , so permitting UDP according to the ACL, but the corresponding UDP traffic is still denied (but not counted in the ACL counters, and not logged when using "log-input"), and a corresponding ICMP admin-deny is sent back to the sender.
L.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide