I have come across a possible bug with ACL processing on the 6500 with the VS-S720-10G-3CXL (in VSS mode) running 12.2(33)SXI2a.
In this example access list:
ip access-list extended VLAN42_OUT
permit tcp any any established
permit udp 10.0.0.0 0.0.0.255 any eq tftp
permit tcp 10.0.0.0 0.0.0.255 any eq 2049
permit tcp 10.0.0.0 0.0.0.255 any eq sunrpc
permit udp 10.0.0.0 0.0.0.255 any gt 1023
deny ip any any log-input
Traffic from 10.0.0.1 to a host on the vlan42 (where the ACL is attached)
TCP return traffic is fine.
tcp port 2049 is fine
rpc is fine
UDP > 1023 is fine
but UDP to port 69 is blocked despite the explicit permit.
tcpdump on the sending host shows the ICMP admin-denied from the switch for packets sent to destination UDP 69.
If I change that line of permit to permit udp 10.0.0.0 0.0.0.255 any (without specifying ports), then UDP 69 (and anything else) works fine.
If I set permit udp 10.0.0.0 0.0.0.255 any eq tftp log-input , then nothing is seen in the log for the ACL.
Nothing is seen in either case for the logs for this specific traffic in the logs (associated with the deny ip any any log-input).
If I remove the permit ... tftp line entirely, then I see the blocked packets denied in the log.
Basically it appears that the cisco is DENYING the traffic UDP to port 69, even though it's explictly permitted (and near the top of the ACL), but it is not denying the other similar rules (such as UDP > 1023).
Smells like a bug to me.
(yes, I am aware that tftp uses separate pseudo-random ports for the data transfer, but that's beside the issue at this point...)
erm.. no.. the acl says "permit udp 10.0.0.0 0.0.0.255 any eq tftp" , so permitting UDP according to the ACL, but the corresponding UDP traffic is still denied (but not counted in the ACL counters, and not logged when using "log-input"), and a corresponding ICMP admin-deny is sent back to the sender.
The following documents are reviewed on the Ask The Experts Session titled: Use Case Overview and Planning: Cisco DNA Center Project Planning.
Here you can find editable versions of the
Solution Requirements Document UCOP_CiscoDNACenterProjectPlann...
If so, we’d like to speak with you to understand you and your team’s process on how you monitor and troubleshoot network traffic.
We ask that you complete our brief survey: https://ciscoux.az1.qualtrics.com/jfe/form/SV_d4LYJ5oWqWj9CCy Based on your ...
Listen: https://smarturl.it/CCRS8E38 Follow us: twitter.com/CiscoChampionAdding learning capabilities to the internet will increase the overall network SLO and application experience. Real data driven experiments have shown that such an approach...
Listen: https://smarturl.it/CCRS8E37Follow us: twitter.com/ciscochampionSometimes, situations require temporary fixes. Sometimes, the network becomes an afterthought in overall office design and planning. In either situation, it may require netw...
In this special edition of the Insider Series, we hear from Cisco partners who have taken steps to be more eco-friendly and sustainable. We hear what inspires ASHRAE, Southwire, Igor, and NTT to create a workplace that is centered around people and how th...