[nsp] Sup720 and ACL/netflow processing

Thu Dec 18 03:07:56 EST 2003

Hello

> >I'm collecting netflow on a couple of Cat6503s with
> >sup720s.  We've got input ACLs on the interfaces facing
> >our provider.  Back when this was a 7500, I'd get netflow
> >stats for all the inbound traffic, including the packets
> >that were denied by the input ACL.  However, on the sup720s,
> >it seems that the packets are dropped by the ACL before the
> >flows are recorded, and they don't show up in the netflow
> >export.
> >
> >Can anyone confirm this behavior?
> 
> This is correct behavior for Supervisor 720.

Hm, I see that my Sup720 is working different. For example, I have input acl on this interface:

interface Vlan30
 ip address 1.1.1.2 255.255.255.252
 ip access-group 2000 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip route-cache policy
 ip route-cache flow
 snmp ifindex persist
 mls rp ip
 hold-queue 512 in
 hold-queue 256 out
end

And in netflow I see the following packets:

flow #55 received from router 217.23.151.44, IP protocol 1
  input ifIndex:     18
  source IP address: 62.215.85.110
  source port:       0
  source AS:         FAST-TELCO(21050)
  output ifIndex:    0
  dest IP address:   62.213.67.228
  dest port:         2048
  dest AS:           <unknown>(0)
  nexthop:           0.0.0.0
  bytes in flow:       92
  packets in flow:   1

This is icmp echo-rquest scanning.
Now, look at acl config:

Extended IP access list 2000 (Compiled)
    <skip>
    60 deny icmp 62.208.0.0 0.7.255.255 any echo (142585658 matches)
    <skip>

So, Sup720 blocking packet AFTER netflow. 
SUP720 is installed in 6509 with IOS Version 12.2(17a)SX.

-- 
With best regards.