Symptom
Sequence to permit traffic is configured, however remote traffic is not allowed to pass.
Conditions
The problem was first seen with the topology composed of all IE switches.
Seen in different software versions.
ACL is applied in outbound direction.
Workaround
1. Add sequence for return traffic. For example, for an ACL with this sequence:
Extended IP access list 101
10 permit ip X.X.0.0 0.0.0.X Y.Y.0.0 0.0.0.Y
The workaround would be:
ip access-list ext 101
permit ip Y.Y.0.0 0.0.0.Y X.X.0.0 0.0.0.X
2. Apply ACL for inbound direction
Upgrade to fixed version.
Further Problem Description
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
