cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
628
Views
0
Helpful
2
Replies

C6500 VSS 12.2(33)SXI2a - ACL Bug ?

Hi All,

I have come across a possible bug with ACL processing on the 6500 with the VS-S720-10G-3CXL (in VSS mode) running 12.2(33)SXI2a.

In this example access list:

ip access-list extended VLAN42_OUT

  permit tcp any any established

  permit udp 10.0.0.0 0.0.0.255 any eq tftp

  permit tcp 10.0.0.0 0.0.0.255 any eq 2049

  permit tcp 10.0.0.0 0.0.0.255 any eq sunrpc

  permit udp 10.0.0.0 0.0.0.255 any gt 1023

  deny ip any any log-input

!

Traffic from 10.0.0.1 to a host on the vlan42 (where the ACL is attached)

     TCP return traffic is fine.

     tcp port 2049 is fine    

     rpc is fine

     UDP > 1023 is fine

but UDP to port 69 is blocked despite the explicit permit.

tcpdump on the sending host shows the ICMP admin-denied from the switch for packets sent to destination UDP 69.

If I change that line of permit to permit udp 10.0.0.0 0.0.0.255 any   (without specifying ports), then UDP 69 (and anything else) works fine.

If I set permit udp 10.0.0.0 0.0.0.255 any eq tftp log-input , then nothing is seen in the log for the ACL.

Nothing is seen in either case for the logs for this specific traffic in the logs (associated with the deny ip any any log-input).

If I remove the permit ... tftp line entirely, then I see the blocked packets denied in the log.

Basically it appears that the cisco is DENYING the traffic UDP to port 69, even though it's explictly permitted (and near the top of the ACL), but it is not denying the other similar rules (such as UDP > 1023).

Smells like a bug to me.

(yes, I am aware that tftp uses separate pseudo-random ports for the data transfer, but that's beside the issue at this point...)

Anyone else seen this behaviour ?

Thanks,

Leland

2 REPLIES 2
mahmoodmkl
Rising star

Hi
u r permitting tcp not udp

Sent from Cisco Technical Support iPhone App

erm.. no.. the acl says "permit udp 10.0.0.0 0.0.0.255 any eq tftp"  , so permitting UDP according to the ACL, but the corresponding UDP traffic is still denied (but not counted in the ACL counters, and not logged when using "log-input"), and a corresponding ICMP admin-deny is sent back to the sender.

L.