[c-nsp] IOS firewall on 7500 vip -- not supported??

Rodney Dunn rodunn at cisco.com
Tue May 3 13:33:07 EDT 2005 

On Tue, May 03, 2005 at 10:57:24AM -0400, Joe Maimon wrote:
> 
> 
> Rodney Dunn wrote:
> > Joe,
> > 
> > We don't recommend folks do IPSEC on a 75xx (you can configure
> > it but it's no distributed and we don't test it).  That may
> > be what they are referencing.
> 
> I dont recommend it either. Been there done that, seen nasty ATM cell 
> loss on PVC's carrying ipsec traffic to the box, didnt get any support.
> 
> Still cannot understand why a) ipsec is allowed b) ipsec is not 
> supported  c) even when it causes outages in "unrelated" functions.

I've said it before. It's IPSEC session to the box for management.

> 
> > 
> > Or they may be talking about IP INSPECT. I'm not sure how much
> > of that code is in the dCEF path or not but regardless the
> > box shouldn't crash when it's enabled.
> 
> I am not quite certain either, but I suspect on this box I see little to 
>   none dCEF switching of CBAC'd traffic. However this issue is a bug.
> 
> CSCsa64848
> 
Ok..the bug is filed and and it's assigned.

> 
> > If anything it should
> > (for this box at least) punt the packets to the RSP for handling.
> > 
> Yep, CBAC/NBAR. And it does work. The question is what has happened now 
> that it is not "supported"? I have been getting support on this for 
> quite some time.

If it crashes the box it's a bug. Simple as that and should be fixed.

> 
> What would you do to support customers who did not want simple ACL 
> protection but real session tracking? (Everyone buying "Managed 
> Internet") VRF-Lite to pixen?
> 
> > I wish we could move the box to a fully distributed path and
> > drop anything that has to be punted to make the switching
> > vectors simpler. But that would be a big move and we'll never do
> > it.
> > 
> There are many things that to an outsider like me seem to be 
> "intentionaly" left out of the dCEF switching path. I am happy I have 
> them at all.
> 
> Perhaps that would be motivation for a seperate train. However, people 
> dont seem to appreciate te lack of supported features for the GSR (hence 
> the 7600 as an attempt to replace the 7500) and 7500 is kindof a legacy 
> platform now.
> 
> I can appreciate it would be a whole lot easier for cisco to support a 
> simpler switching path with less features. Thats what their competitors 
> do. But "less features" to the best of my recollection has never been a 
> Cisco selling point.
> 
> If more powerfull RSP were available, I wouldnt mind doing feature 
> processing there. The problem is that the RSP16 is almost the cost of a 
> NPE-G1 and not quite as powerfull.
> 
> > What is the case number?
> 
> Coming in seperately.
> 
> > Can you do "clear count" and get a couple snapshots of "sh int stat"
> > for the interface you have ip inspect on and let's see if you
> > are dCEF switching packets to/from that interface?
> > 
> 
> Basically all interfaces that have an egress ACL with an ending line of 
> deny ip any any have a corresponding ip inspect <name> in (its also 
> using reflexive acl for the protocols that cbac does not support.
> 
> I will take a look and see what I can find.
> 
> > Bottom line is I never recommend anyone run a feature on a 75xx
> > that is not fully distributed and their box should have VIPs with
> > the CPU power and memory to do those features in the distributed path.
> 
> Well I wouldnt recommend it to anyone either, except if they are 
> prepared to re-evaluate their capacity based on their RSP.
> 
> > 
> > Rodney 
> > 
> > 
> > 
> > 
> > On Tue, May 03, 2005 at 07:34:33AM -0400, Joe Maimon wrote:
> > 
> >>Hello All,
> >>
> >>I have just been emailed from TAC concerning an ongoing issue where 
> >>H.323 inspection in 12.3 T series causes router crashes and in the 
> >>message was this gem.
> >>
> >>"
> >>I'm from the Architecture team, so I don't have significant expertise in
> >>Security. I've been told the IOS Firewall feature is not supported on VIP's.
> >>"
> >>
> >>Does anyone quite know what this means? I have seen it working fine.
> >>
> >>Thanks,
> >>
> >>Joe
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> > 
> >

More information about the cisco-nsp mailing list