[nsp] ACL leakage on VIP4

Mark Boolootian booloo@cats.ucsc.edu
Fri, 11 Oct 2002 10:55:21 -0700


Folks,

Last week we discovered that traffic was leaking past our ACLs on our
campus entrance router.  The leakage occurred on our 7507 for traffic
flowing through a VIP4-80 (OC-12 PA) linecard using named access lists.
We're running 12.0(19)S2.

The simple act of removing the named access list and reapplying it halted
the leakage, and it has not (yet) reoccurred.  Cisco acknowledged a
previous report of this problem, which has a bugid:  CSCdw75195

The bug report suggests the combination of VIP, named access lists, and
distributed CEF may be a factor.  Of possible note is that when logged
into the VIP, running 'show access-list' returns all the standard and
extended access lists, but doesn't show any of the named access lists.
We are using compiled access lists.  Still waiting to hear from Cisco on
the signficance of this.

Has anyone else seen this?  

mb
---
Mark Boolootian
UC Santa Cruz