[nsp] ACL leakage on VIP4
Rubens Kuhl Jr.
rkjnsp@ieg.com.br
Sun, 13 Oct 2002 05:03:44 -0300
I've seen serious performance issues with named ACLs on 7500/VIP/dCEF,
12.0(xx)S train; using numbered ACLs worked like a charm.
Rule of thumb: use numbered ACLs on 7500, use named ACLs on Cat6K/7600.
Rubens
----- Original Message -----
From: "Mark Boolootian" <booloo@cats.ucsc.edu>
To: <cisco-nsp@puck.nether.net>
Sent: Friday, October 11, 2002 2:55 PM
Subject: [nsp] ACL leakage on VIP4
| Last week we discovered that traffic was leaking past our ACLs on our
| campus entrance router. The leakage occurred on our 7507 for traffic
| flowing through a VIP4-80 (OC-12 PA) linecard using named access lists.
| We're running 12.0(19)S2.
|
| The simple act of removing the named access list and reapplying it halted
| the leakage, and it has not (yet) reoccurred. Cisco acknowledged a
| previous report of this problem, which has a bugid: CSCdw75195
|
| The bug report suggests the combination of VIP, named access lists, and
| distributed CEF may be a factor. Of possible note is that when logged
| into the VIP, running 'show access-list' returns all the standard and
| extended access lists, but doesn't show any of the named access lists.
| We are using compiled access lists. Still waiting to hear from Cisco on
| the signficance of this.
|
| Has anyone else seen this?
|
| mb
| ---
| Mark Boolootian
| UC Santa Cruz
| _______________________________________________
| cisco-nsp mailing list real_name)s@puck.nether.net
| http://puck.nether.net/mailman/listinfo/cisco-nsp
| archive at http://puck.nether.net/pipermail/cisco-nsp/