[c-nsp] IOS firewall on 7500 vip -- not supported??

Rodney Dunn rodunn at cisco.com
Tue May 3 08:23:13 EDT 2005


Joe,

We don't recommend folks do IPSEC on a 75xx (you can configure
it but it's no distributed and we don't test it).  That may
be what they are referencing.

Or they may be talking about IP INSPECT. I'm not sure how much
of that code is in the dCEF path or not but regardless the
box shouldn't crash when it's enabled. If anything it should
(for this box at least) punt the packets to the RSP for handling.

I wish we could move the box to a fully distributed path and
drop anything that has to be punted to make the switching
vectors simpler. But that would be a big move and we'll never do
it.

What is the case number?
Can you do "clear count" and get a couple snapshots of "sh int stat"
for the interface you have ip inspect on and let's see if you
are dCEF switching packets to/from that interface?

Bottom line is I never recommend anyone run a feature on a 75xx
that is not fully distributed and their box should have VIPs with
the CPU power and memory to do those features in the distributed path.

Rodney 




On Tue, May 03, 2005 at 07:34:33AM -0400, Joe Maimon wrote:
> Hello All,
> 
> I have just been emailed from TAC concerning an ongoing issue where 
> H.323 inspection in 12.3 T series causes router crashes and in the 
> message was this gem.
> 
> "
> I'm from the Architecture team, so I don't have significant expertise in
> Security. I've been told the IOS Firewall feature is not supported on VIP's.
> "
> 
> Does anyone quite know what this means? I have seen it working fine.
> 
> Thanks,
> 
> Joe
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list