Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Configuring an Access map to classify based on the UDP ports in inbound direction of an interface, Packets with UDP ports in the range 50020 to 50023, are not classified as desired: - Packets are classified with DSCP CS4 interface service-policy input TEST-QOS-IN - With this POLICY-MAP: policy-map TEST-QOS-IN class TEST_VOICE set dscp ef class TEST_CONTROL set dscp cs6 class TEST_VIDEO. <<<<<<<<<<<< Packets from video are classified set dscp cs4 class TEST_SIGNALING set dscp cs3 class TEST_DATA1 set dscp cs2 class TEST_DATA2 set dscp af21 class TEST_SCAV set dscp cs1 class class-default set dscp default exit - And Below class maps: class-map match-any TEST_CONTROL match access-group name ACL CONTROL class-map match-any TEST_DATA2 match access-group name ACL APPS 2 match access-group name ACL APPS 3 class-map match-any TEST_VOICE match access-group name ACL 1 match access-group name ACL VOICE class-map match-any TEST_SIGNALING match access-group name ACL SIGNALING class-map match-any TEST_DATA1 match access-group name ACL TRANSACTIONAL class-map match-any TRANSACTIONAL_T2_T3_QUEUE match ip dscp af21 class-map match-any TEST_VIDEO match access-group name ACL 2 <<<<<<<<<<<<<<<<<< class-map match-any TEST_SCAV match access-group name T2-ALL-8Q-BACKGROUND-X - With ACL list: ip access-list extended ACL 2 10 permit udp any range 14450 14499 any gt 1023 20 permit udp any range 50020 50039 any range 50020 50039 30 permit tcp any range 50020 50039 any range 50020 50039 40 permit udp any range 50020 50039 any eq 3480 50 permit udp any eq 9000 any 60 permit udp any any eq 9000 70 permit udp any any eq 5004 80 permit udp any eq 5004 any 90 permit tcp any any eq 5004 100 permit tcp any eq 5004 any In order to fix the issue, we need to remove 4 statements from below access list: ip access-list extended ACL 1 10 deny udp any 8.33.237.0 0.0.0.255 range 10000 13000 <<<<<< 20 deny udp any 8.8.242.0 0.0.0.255 range 10000 13000 <<<<<< 30 deny udp any 170.65.97.0 0.0.0.255 range 10000 13000 <<<<<< 40 deny udp any 170.65.96.0 0.0.0.255 range 10000 13000 <<<<<< 50 permit udp any range 14000 14449 any range 8000 8999 60 permit udp any range 14000 14449 any range 9001 48198 70 permit udp any range 14000 14449 host 206.203.117.19 gt 1023 80 permit udp any range 14000 14449 host 206.203.119.11 gt 1023 90 permit udp any range 50000 50019 any range 50000 50019 100 permit tcp any range 50000 50019 any range 50000 50019 110 permit udp any range 50000 50019 any eq 3479 For some reason, the first four statements from ACL 1 ACL are affecting ACL 2
Configuring two access lists: ip access-list extended ACL2 10 permit udp any range 14450 14499 any gt 1023 20 permit udp any range 50020 50039 any range 50020 50039 30 permit tcp any range 50020 50039 any range 50020 50039 40 permit udp any range 50020 50039 any eq 3480 50 permit udp any eq 9000 any 60 permit udp any any eq 9000 70 permit udp any any eq 5004 80 permit udp any eq 5004 any 90 permit tcp any any eq 5004 100 permit tcp any eq 5004 any ip access-list extended ACL1 10 deny udp any 8.33.237.0 0.0.0.255 range 10000 13000 20 deny udp any 8.8.242.0 0.0.0.255 range 10000 13000 30 deny udp any 170.65.97.0 0.0.0.255 range 10000 13000 40 deny udp any 170.65.96.0 0.0.0.255 range 10000 13000 50 permit udp any range 14000 14449 any range 8000 8999 60 permit udp any range 14000 14449 any range 9001 48198 70 permit udp any range 14000 14449 host 206.203.117.19 gt 1023 80 permit udp any range 14000 14449 host 206.203.119.11 gt 1023 90 permit udp any range 50000 50019 any range 50000 50019 100 permit tcp any range 50000 50019 any range 50000 50019 110 permit udp any range 50000 50019 any eq 3479
Remove below statements from the ACL ACL1: 10 deny udp any 8.33.237.0 0.0.0.255 range 10000 13000 20 deny udp any 8.8.242.0 0.0.0.255 range 10000 13000 30 deny udp any 170.65.97.0 0.0.0.255 range 10000 13000 40 deny udp any 170.65.96.0 0.0.0.255 range 10000 13000
PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html