[c-nsp] reflexive ACL on 6500 + CoPP

Michael Malitsky malitsky at netabn.com
Fri Oct 31 01:05:46 EDT 2008 

I would like to complicate the original question: having enabled CoPP on the same box I've run into a situation whereby several ACEs on some reflexive ACLs stopped matching/processing.  I tried removing/reapplying the ACLs, recreating them, clearing mls table, no dice.  As soon as I remove CoPP they start functioning normally, as soon as I apply CoPP these same ACEs stop.  This affects only reflexive ACEs, as rewriting them as 'standard' ACEs also fixes the issue.  
For a while I thought the problem was caused by the CoPP transmit ceiling being set too low, and the flow setup packets that are punted to MSFC being dropped.  However, changing the CoPP policy to transmit everything, for all classes, did not help.  Only disabling the CoPP policy.
Is there some interaction between the features?

Also, on the subject of CoPP, can anyone suggest how to go about classifying traffic and setting limits for CoPP?  I've identified obvious things like routing protocols, various management tools, etc.  The catch-all class still shows quite a bit of traffic, and I am stomped on how to identify what it is.  I understand some of that is packets punted to MSFC, but again, how do I identify/classify them?

Thank you,
Michael


-----Original Message-----
From: Michael Malitsky
Sent: Wed 10/29/2008 9:07 PM
To: 'cisco-nsp at puck.nether.net'
Cc: Michael Malitsky
Subject: reflexive ACL on 6500
 
Hello,

Does anyone have any experience using reflexive ACLs on a 6500?  I am having trouble finding definitive information as to the manner these are processed.  One document indicates the first packet of a flow is punted to the MSFC, the rest are hardware-switched.  Another says that the first packet of a flow is always punted to the MSFC, while for the rest of the flow to be switched in hardware, mls netflow has to be enabled, otherwise it's all software.
For the time being, we don't have a huge load on the box, so software/hardware path selection isn't causing a lot of grief, but I'd rather not wait until this becomes a pain point.
In addition, every so often (2-3 months) a particular ACL will stop "reflecting".  As in the SYN packets will go through, will show up in the reflected list, but the response packets won't be allowed through.  Only one list (out of a dozen or two) at a time, and not necessarily the same list every time.  The solution is to remove the list and recreate it.
We are running a 6509/Sup720 with 12.2(18)SXF.

Any suggestions/experiences appreciated.

Michael

More information about the cisco-nsp mailing list