[c-nsp] Weird ACL behaviour

Benjamin Lovell belovell at cisco.com
Thu Jun 17 10:29:06 EDT 2010 

The code path for MLS netflow versus software netflow is not the same.  
For MLS netflow the export records are created by the DFC/PFC so it's  
not surprising that they act differently than "locally generated"  
traffic.

Just as an example that shows the code path is different. Export to  
VRF destination is supported for software netflow but not for MLS  
netflow.


-Ben


On Jun 17, 2010, at 9:17 AM, Marco Matarazzo wrote:

> Hi all,
>
> I'm facing a strange behaviour on an ACL just wanted to know if  
> someone has
> encountered a similar issue? Here're the facts:
>
> I'm using a Cisco 6509 on SXI2, I've setup Netflow to collect and send
> traffic to a collector. The collector is on my management network. The
> relevant configs:
>
> [...snip...]
>
> mls netflow interface
> mls flow ip interface-full
> mls nde sender
>
> [... some interfaces has ip flow ingress configured...]
>
> interface FastEthernet3/48
> description Management Network
> ip address 10.16.x.y 255.255.255.0
> ip access-group Management out
> no ip proxy-arp
>
> ip flow-export source FastEthernet3/48
> ip flow-export version 9 origin-as
> ip flow-export destination 10.16.x.z 9995
>
> ip access-list extended Management
> deny   ip any any
>
> with this configuration in place the collector only receives flows  
> generated
> by CPU switch traffic. All the traffic generated by the mls nde sender
> command does get blocked by the ACL. As soon as I remove the ACL the  
> traffic
> flows fine. I was under the assumption that traffic generated by the  
> router
> was not affected by the ACLs, and in fact all the rest of the  
> traffic is
> fine... Maybe I'm catching a bug here, or is that written somewhere  
> that
> packets created by the mls gets blocked by ACLs?
>
> Cheers,
> ]\/[arco
>
>
> -- 
> I'm Winston Wolf, I solve problems.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list