[c-nsp] reflexive ACL on 6500
Michael Malitsky
malitsky at netabn.com
Wed Oct 29 22:07:44 EDT 2008
Hello,
Does anyone have any experience using reflexive ACLs on a 6500? I am
having trouble finding definitive information as to the manner these are
processed. One document indicates the first packet of a flow is punted
to the MSFC, the rest are hardware-switched. Another says that the
first packet of a flow is always punted to the MSFC, while for the rest
of the flow to be switched in hardware, mls netflow has to be enabled,
otherwise it's all software.
For the time being, we don't have a huge load on the box, so
software/hardware path selection isn't causing a lot of grief, but I'd
rather not wait until this becomes a pain point.
In addition, every so often (2-3 months) a particular ACL will stop
"reflecting". As in the SYN packets will go through, will show up in
the reflected list, but the response packets won't be allowed through.
Only one list (out of a dozen or two) at a time, and not necessarily the
same list every time. The solution is to remove the list and recreate
it.
We are running a 6509/Sup720 with 12.2(18)SXF.
Any suggestions/experiences appreciated.
Michael
More information about the cisco-nsp
mailing list