[c-nsp] Strange message on the console

Arie Vayner (avayner) avayner at cisco.com
Sun May 18 13:23:41 EDT 2008 

If the VLAN has no egress ACL, then it would permit any traffic, and
there would be no issue...
Arie 

-----Original Message-----
From: Ross Vandegrift [mailto:ross at kallisti.us] 
Sent: Sunday, May 18, 2008 18:55 PM
To: Arie Vayner (avayner)
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Strange message on the console

On Sun, May 18, 2008 at 08:25:49AM +0200, Arie Vayner (avayner) wrote:
> Ross,
> 
> This is a bug caused by a some HW limitation. What the message says is

> the packets RECEIVED on a specific VLAN, and which are destined to the

> local router (like in your case), and in case rate-limiting for this 
> traffic is enabled - then this traffic would hit the OUTPUT ACL 
> configured on the same VLAN - which is basically wrong...
> 
> Hope you see the issue now.

Aha - yes, now I get it.  I was misunderstanding the message.

> The workaround would be simple - make the ACLs permit the traffic...

Does this issue affect VLANs that have no output ACL?

Thanks Arie,

Ross

> 
> This issue is not there on the newer 3C/3CXL based SUPs.
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ross 
> Vandegrift
> Sent: Sunday, May 18, 2008 08:57 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Strange message on the console
> 
> Hi everyone,
> 
> I was messing around with rate-limiting ARP resolution on a 6500 
> SUP720-3bxl.  After entering "mls rate-limit unicast cef glean 250 
> 50", IOS printed this message on the console:
> 
> %Packets requiring ARP resolution will be subject to the output ACLs 
> of the input VLAN
> 
> Uhhhh, duh?  I would hope that traffic would always be subject to the 
> input VLAN's output ACL, since that would be how one would expect ACLs

> to work - ie, that they actually do something....  I can't imagine 
> that this means to imply that output ACLs only work when glean 
> rate-limiting is enabled.
> 
> Google finds nothing on this message - anyone have any info on this 
> curious bit?
> 
> 
> --
> Ross Vandegrift
> ross at kallisti.us
> 
> "The good Christian should beware of mathematicians, and all those who

> make empty prophecies. The danger already exists that the 
> mathematicians have made a covenant with the devil to darken the 
> spirit and to confine man in the bonds of Hell."
> 	--St. Augustine, De Genesi ad Litteram, Book II, xviii, 37
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

--
Ross Vandegrift
ross at kallisti.us

"The good Christian should beware of mathematicians, and all those who
make empty prophecies. The danger already exists that the mathematicians
have made a covenant with the devil to darken the spirit and to confine
man in the bonds of Hell."
	--St. Augustine, De Genesi ad Litteram, Book II, xviii, 37

More information about the cisco-nsp mailing list