[nsp] 7600 and ACLs

Chris Whyte cwhyte@microsoft.com
Thu, 7 Nov 2002 13:44:44 -0800


Here ya go. Hope this helps!!

To explain the problem the best way I can is that, within the TCAM there

are two registers, A & B for each LOU. The LOU is explained by the=20
configuration guide
=20
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/swconf
ig/secure.htm#xtocid5

The TCAM may try to maximize a LOU space by taking an ACL config like=20
"gt 1023" and changed into hardware as "not less than 1024". In this=20
case, a bit in TCAM is flipped to indicate the "inverted" function. When

the same inverted LOU is used with TCP flags (syn,ack, rst) the software

mistakenly invert the TCP flag as well when it should not. This is what=20
we see with Daniel's config.

The simple explanation for why xxxx does not have this problem is  that=20
the LOU used with TCP flag was not get inverted for whatever reason.=20
There is no way to gurantee when the inversion would happen. The IP=20
address, mask, eq source port, eq  dst port has no impact to whether the

inversion happens. So the one of the known workaround is not to combine=20
gt or lt with the TCP flag so no inversion would take place. Another=20
workaround is to manually change the "gt" or "lt" into "range" which=20
will take up both register. This way the TCAM would be configured same=20
as the ACL config. I was able to prove this work in the lab. There is=20
one caveat for this workaround

when I changed the last two lines to :

 permit tcp any eq www x.x.x.x 0.0.0.127 range 1024 65535 established
 permit tcp any eq 443 x.x.x.x 0.0.0.127 range 1024 65535 established

the switch is smart enough to figure out this is ame as gt than 1023 so=20
this has no effect. However, when I changed the last two lines to:

 permit tcp any eq www x.x.x.x 0.0.0.127 range 1024 65534 established
 permit tcp any eq 443 x.x.x.x 0.0.0.127 range 1024 65534 established

then the ACL works. But if any destination port is 65535 it would be=20
rejected to workaround that add:

 permit tcp any eq www x.x.x.x 0.0.0.127 eq 65535 established
 permit tcp any eq 443 x.x.x.x 0.0.0.127 eq 65535 established

The fix will be in 12.1.13E1 release.

Thanks,

Chris


> -----Original Message-----
> From: lee.e.rian@census.gov [mailto:lee.e.rian@census.gov]=20
> Sent: Thursday, November 07, 2002 10:41 AM
> To: cisco-nsp@puck.nether.net
> Subject: RE: [nsp] 7600 and ACLs
>=20
>=20
> >The workaround for CSCdz00544 fixed it!
>=20
> What workaround???   When I look at  CSCdz00544 Bug Details=20
> the  Release
> Notes has only the one line:
>=20
>    The established keyword does not work with cat6k supII=20
> running native
> IOS.
>=20
>=20
> Does anybody get more than that?
>=20
> Thanks,
> Lee
>=20
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D original message =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> From: "Ash Garg" <ash@telstra.net>
> To: "Chris Whyte" <cwhyte@microsoft.com>,
>    "Vicky O. Mair" <vickyr@socal.rr.com>, <cisco-nsp@puck.nether.net>,
>    <sfoster@microsoft.com>, <ryan@opsource.net>
> Subject: RE: [nsp] 7600 and ACLs
> Date: Thu, 7 Nov 2002 09:56:02 +1100
>=20
> Thanks guys :-)
>=20
> The workaround for CSCdz00544 fixed it! Now to quiz Cisco TAC why they
> couldn't find the problem on their own ;-)
>=20
> Much appreciated,
> Ash
>=20
                                           \\\|||///
                                          \\  ^ ^  //
                                           (  6 6  )
-----------------------------------------oOOo-(_)-oOOo---
Ash Garg                             5/490 Northbourne Ave
Network Specialist                   DICKSON 2602
Internet Network Development
Telstra


_______________________________________________
cisco-nsp mailing list  real_name)s@puck.nether.net
http://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/