[nsp] 7600 and ACLs

Ash Garg ash@telstra.net
Wed, 6 Nov 2002 16:24:30 +1100


Hi,

The unfortunate part of this whole thing is that its not reproducible in our
lab! This would tend to indicate a hardware issue and we have done the
following:

1) replaced the sup2, pfc and mfsc (even though the log keyword indicates
everything is process switched and the sup2 should be okay)
2) replace the 48 port Fast, hoping it was an ASIC

The are only two things left to replace, a 16 port gige module and the
backplane/chassie.

If you look at the "show fm interface vlan xx" on the lab and production
router, which I think is the compiled TCAM output, is the same. The TCAM
isn't reporting any errors and is quite empty. We have attempted numerous
"no ip access-list ...." and "ip access-access list ..." to no avail :-(.
Each time the output from  "show fm interface vlan xx" is the same.

Does anyone know if the "attach 1" attaches to mfsc or pfc? How can I attach
to the other?

Thanks,
Ash





                                           \\\|||///
                                          \\  ^ ^  //
                                           (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
Ash Garg                             5/490 Northbourne Ave
Network Specialist                   DICKSON 2602
Internet Network Development
Telstra

Email: <<mailto:Ash.Garg@telstra.net>>
BH:  +612 6208 1994
Mob: 0408 687 642
Fax: +612 6248 6165

The best way to publicize a governmental or political
action is to attempt to hide it. -Mark B. Cohen
----------------------------------------------------------

-----Original Message-----
From: Vicky O. Mair [mailto:vickyr@socal.rr.com]
Sent: Wednesday, 6 November 2002 3:34 PM
To: ash@telstra.net; cisco-nsp@puck.nether.net
Subject: RE: [nsp] 7600 and ACLs


hi,

i understand there are number of variables involved here but just for the
argument sake can you cut and paste the acl to another box running in
similar mode or in hybrid mode (lab setup will be great provided you have
any cold standby). if possible, can you afford to you undo the acl and
re-apply them in order to shake the tcam.



/vicky

-----Original Message-----
From: cisco-nsp-admin@puck.nether.net
[mailto:cisco-nsp-admin@puck.nether.net]On Behalf Of Ash Garg
Sent: Tuesday, November 05, 2002 6:45 PM
To: Vicky O. Mair; cisco-nsp@puck.nether.net
Subject: RE: [nsp] 7600 and ACLs


yeah... that's what currently allow all the packets to be processed
properly. Somewhere their hardware implementation seems to be broken :-(

Removing the log gives very weird results...

Ash

                                           \\\|||///
                                          \\  ^ ^  //
                                           (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
Ash Garg                             5/490 Northbourne Ave
Network Specialist                   DICKSON 2602
Internet Network Development
Telstra

Email: <<mailto:Ash.Garg@telstra.net>>
BH:  +612 6208 1994
Mob: 0408 687 642
Fax: +612 6248 6165

The best way to publicize a governmental or political
action is to attempt to hide it. -Mark B. Cohen
----------------------------------------------------------

-----Original Message-----
From: Vicky O. Mair [mailto:vickyr@socal.rr.com]
Sent: Wednesday, 6 November 2002 1:31 PM
To: ash@telstra.net; cisco-nsp@puck.nether.net
Subject: RE: [nsp] 7600 and ACLs


hi,

hmm....not sure if 'established' keyword is needed in your case but
something to be aware of (which i'm sure you are) that the 'log' keyword
will drop the packets in process switching mode.

/vicky

-----Original Message-----
From: cisco-nsp-admin@puck.nether.net
[mailto:cisco-nsp-admin@puck.nether.net]On Behalf Of Ash Garg
Sent: Tuesday, November 05, 2002 2:22 PM
To: cisco-nsp@puck.nether.net
Subject: [nsp] 7600 and ACLs


Has anyone had problems with acls applied to vlan interfaces on a 7600
running Native IOS? We have tried two different IOSs: 12.1(8b)e9 &
12.1(11b)e7 with little difference.

The problem we notice is that TCP SYN packets aren't passed thru without the
use of the "log" key word. When you put in the log keyword, the packets pass
thru the interface without a problem...

Ash



                                           \\\|||///
                                          \\  ^ ^  //
                                           (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
Ash Garg                             5/490 Northbourne Ave
Network Specialist                   DICKSON 2602
Internet Network Development
Telstra

Email: <<mailto:Ash.Garg@telstra.net>>
BH:  +612 6208 1994
Mob: 0408 687 642
Fax: +612 6248 6165

The best way to publicize a governmental or political
action is to attempt to hide it. -Mark B. Cohen
----------------------------------------------------------

_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/