I have come across a possible bug with ACL processing on the 6500 with the VS-S720-10G-3CXL (in VSS mode) running 12.2(33)SXI2a.
In this example access list:
ip access-list extended VLAN42_OUT
permit tcp any any established
permit udp 10.0.0.0 0.0.0.255 any eq tftp
permit tcp 10.0.0.0 0.0.0.255 any eq 2049
permit tcp 10.0.0.0 0.0.0.255 any eq sunrpc
permit udp 10.0.0.0 0.0.0.255 any gt 1023
deny ip any any log-input
Traffic from 10.0.0.1 to a host on the vlan42 (where the ACL is attached)
TCP return traffic is fine.
tcp port 2049 is fine
rpc is fine
UDP > 1023 is fine
but UDP to port 69 is blocked despite the explicit permit.
tcpdump on the sending host shows the ICMP admin-denied from the switch for packets sent to destination UDP 69.
If I change that line of permit to permit udp 10.0.0.0 0.0.0.255 any (without specifying ports), then UDP 69 (and anything else) works fine.
If I set permit udp 10.0.0.0 0.0.0.255 any eq tftp log-input , then nothing is seen in the log for the ACL.
Nothing is seen in either case for the logs for this specific traffic in the logs (associated with the deny ip any any log-input).
If I remove the permit ... tftp line entirely, then I see the blocked packets denied in the log.
Basically it appears that the cisco is DENYING the traffic UDP to port 69, even though it's explictly permitted (and near the top of the ACL), but it is not denying the other similar rules (such as UDP > 1023).
Smells like a bug to me.
(yes, I am aware that tftp uses separate pseudo-random ports for the data transfer, but that's beside the issue at this point...)
erm.. no.. the acl says "permit udp 10.0.0.0 0.0.0.255 any eq tftp" , so permitting UDP according to the ACL, but the corresponding UDP traffic is still denied (but not counted in the ACL counters, and not logged when using "log-input"), and a corresponding ICMP admin-deny is sent back to the sender.
Listen: https://smarturl.it/CCRS8E37Follow us: twitter.com/ciscochampionSometimes, situations require temporary fixes. Sometimes, the network becomes an afterthought in overall office design and planning. In either situation, it may require netw...
In this special edition of the Insider Series, we hear from Cisco partners who have taken steps to be more eco-friendly and sustainable. We hear what inspires ASHRAE, Southwire, Igor, and NTT to create a workplace that is centered around people and how th...
We know that the Type-1 LSA describes the link type connected to the router, the neighbor router and the subnet number.In this topology, assume we dont have a Type-2 LSA, so each router will create its own Type-1 LSA, the Type-1 LSA will describe the neig...
Here are some commonly asked questions and answers to help with your adoption of Cisco DNA Center Wireless. Subscribe to this post to stay up-to-date with the latest Q&A and recommended Ask the Experts (ATXs) sessions to attend.
Q. I have a Cisco Appl...
Why IETF changed and inverted OSPF Type-7 LSA VS Type-5 LSA election In RFC 3101 compared to OLD RFC 1587?Many people learns that the Type-7 LSA and Type-5 election (ON Versus OE routes) depends on RFC 3101 for NSSA published in 2003 and RFC 1587 for NSSA...