[nsp] ip verify unicast not logging in ACL

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Wed Nov 12 09:37:00 EST 2003


Hi,

> > From: Daniel Roesen [mailto:dr at cluenet.de]
> > Sent: 12. novembra 2003 14:26
> > To: Cisco Nsp
> > Subject: Re: [nsp] ip verify unicast not logging in ACL
> > 
> > And yes, I've also run into the "no logging" bug. Cisco claims this
> > is a "feature": 
> > 
> >  "The log ACL option is not supported if used in conjunction with
> >  uRPF, bug ID: cscdz05440, this bug is to fix the documentation.
> >  This is why your ACL is not showing any matches."
> 
> acl 'log' line gets the packet out of cef. and - iirc - urpf is a cef
> feature. that's why "it's not a bug"

Actually CSCdz05440 was closed after we fixed ACL logging with uPRF via
CSCdz05443.

> >  "It seems the ACL logging is fixed by bug cscdz05443. I am
> >  currently confirming this and will let you know."
> 
> did they manage to make acl logging be cef-supported within this ddts
> or is it an urpf-specific solution? if the former is the answer, many
> other things could work now with acl logging... anyone from cisco to
> confirm/deny?

All we did was to make sure we punt the packet to process path to create
the log entry. Logging is not (and possibly never will be) working in
the interrupt switching path, so we always have to punt. NOTE: "punting"
packets doesn't mean that we don't cef switch the packet. There is also
something like the "CEF process path"..

	oli



More information about the cisco-nsp mailing list