[nsp] 7600 and ACLs

Chris Whyte cwhyte@microsoft.com
Wed, 6 Nov 2002 13:54:51 -0800


Just took a quick glance at your issue so take a look at CSCdz00544.
This might be it...

Thanks,

Chris

> -----Original Message-----
> From: Ash Garg [mailto:ash@telstra.net]=20
> Sent: Tuesday, November 05, 2002 9:25 PM
> To: Vicky O. Mair; cisco-nsp@puck.nether.net
> Subject: RE: [nsp] 7600 and ACLs
>=20
>=20
> Hi,
>=20
> The unfortunate part of this whole thing is that its not=20
> reproducible in our
> lab! This would tend to indicate a hardware issue and we have done the
> following:
>=20
> 1) replaced the sup2, pfc and mfsc (even though the log=20
> keyword indicates
> everything is process switched and the sup2 should be okay)
> 2) replace the 48 port Fast, hoping it was an ASIC
>=20
> The are only two things left to replace, a 16 port gige module and the
> backplane/chassie.
>=20
> If you look at the "show fm interface vlan xx" on the lab and=20
> production
> router, which I think is the compiled TCAM output, is the=20
> same. The TCAM
> isn't reporting any errors and is quite empty. We have=20
> attempted numerous
> "no ip access-list ...." and "ip access-access list ..." to=20
> no avail :-(.
> Each time the output from  "show fm interface vlan xx" is the same.
>=20
> Does anyone know if the "attach 1" attaches to mfsc or pfc?=20
> How can I attach
> to the other?
>=20
> Thanks,
> Ash
>=20
>=20
>=20
>=20
>=20
>                                            \\\|||///
>                                           \\  ^ ^  //
>                                            (  6 6  )
> -----------------------------------------oOOo-(_)-oOOo---
> Ash Garg                             5/490 Northbourne Ave
> Network Specialist                   DICKSON 2602
> Internet Network Development
> Telstra
>=20
> Email: <<mailto:Ash.Garg@telstra.net>>
> BH:  +612 6208 1994
> Mob: 0408 687 642
> Fax: +612 6248 6165
>=20
> The best way to publicize a governmental or political
> action is to attempt to hide it. -Mark B. Cohen
> ----------------------------------------------------------
>=20
> -----Original Message-----
> From: Vicky O. Mair [mailto:vickyr@socal.rr.com]
> Sent: Wednesday, 6 November 2002 3:34 PM
> To: ash@telstra.net; cisco-nsp@puck.nether.net
> Subject: RE: [nsp] 7600 and ACLs
>=20
>=20
> hi,
>=20
> i understand there are number of variables involved here but=20
> just for the
> argument sake can you cut and paste the acl to another box running in
> similar mode or in hybrid mode (lab setup will be great=20
> provided you have
> any cold standby). if possible, can you afford to you undo the acl and
> re-apply them in order to shake the tcam.
>=20
>=20
>=20
> /vicky
>=20
> -----Original Message-----
> From: cisco-nsp-admin@puck.nether.net
> [mailto:cisco-nsp-admin@puck.nether.net]On Behalf Of Ash Garg
> Sent: Tuesday, November 05, 2002 6:45 PM
> To: Vicky O. Mair; cisco-nsp@puck.nether.net
> Subject: RE: [nsp] 7600 and ACLs
>=20
>=20
> yeah... that's what currently allow all the packets to be processed
> properly. Somewhere their hardware implementation seems to be=20
> broken :-(
>=20
> Removing the log gives very weird results...
>=20
> Ash
>=20
>                                            \\\|||///
>                                           \\  ^ ^  //
>                                            (  6 6  )
> -----------------------------------------oOOo-(_)-oOOo---
> Ash Garg                             5/490 Northbourne Ave
> Network Specialist                   DICKSON 2602
> Internet Network Development
> Telstra
>=20
> Email: <<mailto:Ash.Garg@telstra.net>>
> BH:  +612 6208 1994
> Mob: 0408 687 642
> Fax: +612 6248 6165
>=20
> The best way to publicize a governmental or political
> action is to attempt to hide it. -Mark B. Cohen
> ----------------------------------------------------------
>=20
> -----Original Message-----
> From: Vicky O. Mair [mailto:vickyr@socal.rr.com]
> Sent: Wednesday, 6 November 2002 1:31 PM
> To: ash@telstra.net; cisco-nsp@puck.nether.net
> Subject: RE: [nsp] 7600 and ACLs
>=20
>=20
> hi,
>=20
> hmm....not sure if 'established' keyword is needed in your case but
> something to be aware of (which i'm sure you are) that the=20
> 'log' keyword
> will drop the packets in process switching mode.
>=20
> /vicky
>=20
> -----Original Message-----
> From: cisco-nsp-admin@puck.nether.net
> [mailto:cisco-nsp-admin@puck.nether.net]On Behalf Of Ash Garg
> Sent: Tuesday, November 05, 2002 2:22 PM
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] 7600 and ACLs
>=20
>=20
> Has anyone had problems with acls applied to vlan interfaces on a 7600
> running Native IOS? We have tried two different IOSs: 12.1(8b)e9 &
> 12.1(11b)e7 with little difference.
>=20
> The problem we notice is that TCP SYN packets aren't passed=20
> thru without the
> use of the "log" key word. When you put in the log keyword,=20
> the packets pass
> thru the interface without a problem...
>=20
> Ash
>=20
>=20
>=20
                                           \\\|||///
                                          \\  ^ ^  //
                                           (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
Ash Garg                             5/490 Northbourne Ave
Network Specialist                   DICKSON 2602
Internet Network Development
Telstra

Email: <<mailto:Ash.Garg@telstra.net>>
BH:  +612 6208 1994
Mob: 0408 687 642
Fax: +612 6248 6165

The best way to publicize a governmental or political
action is to attempt to hide it. -Mark B. Cohen
----------------------------------------------------------

_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/