[nsp] ACL leakage on VIP4
Hank Nussbacher
hank@att.net.il
Sun, 13 Oct 2002 09:31:19 +0300
At 10:55 AM 11-10-02 -0700, Mark Boolootian wrote:
We had a case where named ACL broke PBR and pkts that were supposed to be
routed to interface #1 were actually routed to interface #2. Switching to
numbered ACL bypassed the problem.
-Hank
>Folks,
>
>Last week we discovered that traffic was leaking past our ACLs on our
>campus entrance router. The leakage occurred on our 7507 for traffic
>flowing through a VIP4-80 (OC-12 PA) linecard using named access lists.
>We're running 12.0(19)S2.
>
>The simple act of removing the named access list and reapplying it halted
>the leakage, and it has not (yet) reoccurred. Cisco acknowledged a
>previous report of this problem, which has a bugid: CSCdw75195
>
>The bug report suggests the combination of VIP, named access lists, and
>distributed CEF may be a factor. Of possible note is that when logged
>into the VIP, running 'show access-list' returns all the standard and
>extended access lists, but doesn't show any of the named access lists.
>We are using compiled access lists. Still waiting to hear from Cisco on
>the signficance of this.
>
>Has anyone else seen this?
>
>mb
>---
>Mark Boolootian
>UC Santa Cruz
>_______________________________________________
>cisco-nsp mailing list real_name)s@puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/