From: BitGossip (bit.gossip@chello.nl)
Date: Sat Feb 17 2007 - 17:05:11 ART
Group,
I have noticed that lock-and-key ACL works on my Cat in a very erratic way:
- when the dynamic entry contains a TCP port number, traffic to the
destination is never allowed even if the show ACL shows that the temporary
entry is active
- if instead there is no port number, traffic is allowed only after
authentication, which is good. But when the time-out expires, and the
dynamic entry is removed, traffic continues to pass.
It looks like the ACL which is applied to a vlan interface is not able to
intercept the traffic; I have to reload to fix it.
The setup is exactly the one described in IEWB4 S8.1
interface Vlan41
ip address 164.1.47.7 255.255.255.0
ip access-group 101 in
ip pim sparse-dense-mode
end
access-list 101 dynamic S8.1 timeout 5 permit tcp any host 164.1.7.100
access-list 101 deny ip any host 164.1.7.100
access-list 101 permit ip any any
access-list dynamic-extended
Extended IP access list 101
10 Dynamic S8.1 permit tcp any host 164.1.7.100
10 permit tcp host 164.1.23.2 host 164.1.7.100
20 deny ip any host 164.1.7.100 (5 matches)
30 permit ip any any (6304 matches)
To double check I have applied the exact same config to a router and it
works like a charm.
Any idea?
Maybe it is not possible to apply lock-and-key on vlan interface? I tried on
the same Catalyst to apply it also on a L3 port but exactly same story
Thanks,
Luca.
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:47 ART