[c-nsp] ME3600X mLDP
Gert Doering
gert at greenie.muc.de
Fri Jul 10 10:46:13 EDT 2015
Hi,
On Fri, Jul 10, 2015 at 02:50:40PM +0200, Lukas Tribus wrote:
> > I?m so sick of the ME3600s, and Cisco in general. Our latest
> > kick in the pants was turning on DHCP snooping. That caused
> > legitimate DHCP traffic that was traversing PWs on the box
> > to get dropped. Snooping should have absolutely nothing at
> > all to do with DHCP being carried inside a PW. Rediculous.
>
> Its the same story on every platform: once you enable a feature
> that has to be handled by the CPU (such as: DAI, PPPoE IA,
> DHCP snooping, etc), you face all kinds of bugs because:
>
> - the TCAM rule is a catch-all rule (all DHCP, all ARP traffic
> must be forwarded to the CPU), it doesn't matter if certain vlans or
> PWs doesn't have this feature enable
>
> - all the forwarding logic that is implement in hardware (DON'T
> rx/tx on STP/REP blocked ports or disabled/not allowed Vlans, DO
> forward even if the traffic is double tagged, DO forward and bypass
> security if this feature is not enabled on this particular Vlan/PW,
> etc.) needs to be replicated in software
But that means they are doing the *snooping* bits wrong in the first
place already. It shouldn't "grab the packet and give it exclusively
to the CPU for snooping-and-forwarding" - but forward normally, and
additionally hand it to the CPU for snooping...
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 291 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20150710/27d12515/attachment.sig>
More information about the cisco-nsp
mailing list