[nsp] ACLs on 2948G-L3

Gert Doering gert at greenie.muc.de
Mon Jun 9 22:04:05 EDT 2003


Hi,

On Fri, May 30, 2003 at 06:12:04PM +0200, Gert Doering wrote:
> I always knew that the Catalyst 2948G-L3 is a piece of junk, but today we
> had a new and exciting effect: ACLs only work "sometimes".

Update on that (for those of you that might run into this one day).

The ACL in question is about 6-7 lines too long - and when entering
the ACL, the 2948G-L3 actually prints a message to that extent ("ACL 110
too large for TCAM, disabling ACL on GigE 50" - something like that, 
I don't have the exact error message available).

The catch is: this message isn't sent to syslog, or to the telnet
session where you enter the ACL, or to the "show log" buffer.  It's 
ONLY sent to the console port - and thus we didn't see the message (the 
box is in the machine room and nobody walks downstairs just to update 
an ACL).  Smart idea, no?

We're currently complaining to Cisco to have them fix the underlying
problem (inefficient TCAM usage - the 6509 compiles its ACLs much more
efficient, so they *can* do it) - or at least print the error message to a
place where people might notice it.

No bug id yet.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


More information about the cisco-nsp mailing list