[nsp] 7600 and ACLs
Ash Garg
ash@telstra.net
Thu, 7 Nov 2002 09:56:02 +1100
Thanks guys :-)
The workaround for CSCdz00544 fixed it! Now to quiz Cisco TAC why they
couldn't find the problem on their own ;-)
Much appreciated,
Ash
\\\|||///
\\ ^ ^ //
( 6 6 )
-----------------------------------------oOOo-(_)-oOOo---
Ash Garg 5/490 Northbourne Ave
Network Specialist DICKSON 2602
Internet Network Development
Telstra
Email: <<mailto:Ash.Garg@telstra.net>>
BH: +612 6208 1994
Mob: 0408 687 642
Fax: +612 6248 6165
The best way to publicize a governmental or political
action is to attempt to hide it. -Mark B. Cohen
----------------------------------------------------------
-----Original Message-----
From: Chris Whyte [mailto:cwhyte@microsoft.com]
Sent: Thursday, 7 November 2002 8:55 AM
To: ash@telstra.net; Vicky O. Mair; cisco-nsp@puck.nether.net
Subject: RE: [nsp] 7600 and ACLs
Just took a quick glance at your issue so take a look at CSCdz00544.
This might be it...
Thanks,
Chris
> -----Original Message-----
> From: Ash Garg [mailto:ash@telstra.net]
> Sent: Tuesday, November 05, 2002 9:25 PM
> To: Vicky O. Mair; cisco-nsp@puck.nether.net
> Subject: RE: [nsp] 7600 and ACLs
>
>
> Hi,
>
> The unfortunate part of this whole thing is that its not
> reproducible in our
> lab! This would tend to indicate a hardware issue and we have done the
> following:
>
> 1) replaced the sup2, pfc and mfsc (even though the log
> keyword indicates
> everything is process switched and the sup2 should be okay)
> 2) replace the 48 port Fast, hoping it was an ASIC
>
> The are only two things left to replace, a 16 port gige module and the
> backplane/chassie.
>
> If you look at the "show fm interface vlan xx" on the lab and
> production
> router, which I think is the compiled TCAM output, is the
> same. The TCAM
> isn't reporting any errors and is quite empty. We have
> attempted numerous
> "no ip access-list ...." and "ip access-access list ..." to
> no avail :-(.
> Each time the output from "show fm interface vlan xx" is the same.
>
> Does anyone know if the "attach 1" attaches to mfsc or pfc?
> How can I attach
> to the other?
>
> Thanks,
> Ash
>
>
>
>
>
> \\\|||///
> \\ ^ ^ //
> ( 6 6 )
> -----------------------------------------oOOo-(_)-oOOo---
> Ash Garg 5/490 Northbourne Ave
> Network Specialist DICKSON 2602
> Internet Network Development
> Telstra
>
> Email: <<mailto:Ash.Garg@telstra.net>>
> BH: +612 6208 1994
> Mob: 0408 687 642
> Fax: +612 6248 6165
>
> The best way to publicize a governmental or political
> action is to attempt to hide it. -Mark B. Cohen
> ----------------------------------------------------------
>
> -----Original Message-----
> From: Vicky O. Mair [mailto:vickyr@socal.rr.com]
> Sent: Wednesday, 6 November 2002 3:34 PM
> To: ash@telstra.net; cisco-nsp@puck.nether.net
> Subject: RE: [nsp] 7600 and ACLs
>
>
> hi,
>
> i understand there are number of variables involved here but
> just for the
> argument sake can you cut and paste the acl to another box running in
> similar mode or in hybrid mode (lab setup will be great
> provided you have
> any cold standby). if possible, can you afford to you undo the acl and
> re-apply them in order to shake the tcam.
>
>
>
> /vicky
>
> -----Original Message-----
> From: cisco-nsp-admin@puck.nether.net
> [mailto:cisco-nsp-admin@puck.nether.net]On Behalf Of Ash Garg
> Sent: Tuesday, November 05, 2002 6:45 PM
> To: Vicky O. Mair; cisco-nsp@puck.nether.net
> Subject: RE: [nsp] 7600 and ACLs
>
>
> yeah... that's what currently allow all the packets to be processed
> properly. Somewhere their hardware implementation seems to be
> broken :-(
>
> Removing the log gives very weird results...
>
> Ash
>
> \\\|||///
> \\ ^ ^ //
> ( 6 6 )
> -----------------------------------------oOOo-(_)-oOOo---
> Ash Garg 5/490 Northbourne Ave
> Network Specialist DICKSON 2602
> Internet Network Development
> Telstra
>
> Email: <<mailto:Ash.Garg@telstra.net>>
> BH: +612 6208 1994
> Mob: 0408 687 642
> Fax: +612 6248 6165
>
> The best way to publicize a governmental or political
> action is to attempt to hide it. -Mark B. Cohen
> ----------------------------------------------------------
>
> -----Original Message-----
> From: Vicky O. Mair [mailto:vickyr@socal.rr.com]
> Sent: Wednesday, 6 November 2002 1:31 PM
> To: ash@telstra.net; cisco-nsp@puck.nether.net
> Subject: RE: [nsp] 7600 and ACLs
>
>
> hi,
>
> hmm....not sure if 'established' keyword is needed in your case but
> something to be aware of (which i'm sure you are) that the
> 'log' keyword
> will drop the packets in process switching mode.
>
> /vicky
>
> -----Original Message-----
> From: cisco-nsp-admin@puck.nether.net
> [mailto:cisco-nsp-admin@puck.nether.net]On Behalf Of Ash Garg
> Sent: Tuesday, November 05, 2002 2:22 PM
> To: cisco-nsp@puck.nether.net
> Subject: [nsp] 7600 and ACLs
>
>
> Has anyone had problems with acls applied to vlan interfaces on a 7600
> running Native IOS? We have tried two different IOSs: 12.1(8b)e9 &
> 12.1(11b)e7 with little difference.
>
> The problem we notice is that TCP SYN packets aren't passed
> thru without the
> use of the "log" key word. When you put in the log keyword,
> the packets pass
> thru the interface without a problem...
>
> Ash
>
>
>
\\\|||///
\\ ^ ^ //
( 6 6 )
-----------------------------------------oOOo-(_)-oOOo---
Ash Garg 5/490 Northbourne Ave
Network Specialist DICKSON 2602
Internet Network Development
Telstra
Email: <<mailto:Ash.Garg@telstra.net>>
BH: +612 6208 1994
Mob: 0408 687 642
Fax: +612 6248 6165
The best way to publicize a governmental or political
action is to attempt to hide it. -Mark B. Cohen
----------------------------------------------------------
_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/