[c-nsp] sup720 protection on the 6500/7600

Charles Spurgeon c.spurgeon at mail.utexas.edu
Sun Feb 18 11:27:34 EST 2007


On Sun, Feb 18, 2007 at 09:43:31AM +0200, Saku Ytti wrote:
> On (2007-02-17 17:05 -0600), Charles Spurgeon wrote:
> 
> > When it comes to "mls rate-limit" I have a tale of woe to relate
> > concerning BugID CSCec44594. This bugid describes how using the
> > command "mls rate-limit unicast cef receive <n> <n>" in a Sup720
> > causes pre-existing ACL logic to be inverted. 
> 
> > 1. reversed ACL functions (ingress became egress) due to mls
> > rate-limit operations and
> 
> Ouch! Does this apply to SVI's only? I've ran CoPP with ingress
> and egress ACL for quite long time now and haven't had this issue yet.
>  But I don't have SVI interfaces, only 'L3' interface, which of 
> course are internally still mapped to VLANs, but are still 
> not 100% equal from PFC3 point of view.

Good question. The failure mode we saw was on an SVI. I don't recall
hearing anything from Cisco about whether the issue relies on the
interface being an SVI.

Presumably, if the packet circulation paths are different enough
between the SVI and "native L3" ints then the impact of this special
condition of mls rate-limiting could differ as well. Since we're heavy
users of SVIs, I never tried testing the "native L3" case.

-Charles



More information about the cisco-nsp mailing list