[c-nsp] Weird ACL behaviour
Benjamin Lovell
belovell at cisco.com
Thu Jun 17 12:38:17 EDT 2010
Marco,
This looks like
CSCtc54878 NDE direct export packets are checked by egress ACL
When the packets are exported by the SP(MLS netflow) the flag for
hardware to ignore ACL checks is not set. Fixed in SXI4.
-Ben
On Jun 17, 2010, at 11:52 AM, Rodney Dunn wrote:
> If it is an inconsistency in implementation between the software and
> hardware generated records it should be clearly articulated as a
> gotcha in the configuration guide. Ben is checking on both parts for
> us.
>
> Rodney
>
>
>
> On 6/17/10 11:15 AM, Marco Matarazzo wrote:
>> On Thu, Jun 17, 2010 at 4:29 PM, Benjamin
>> Lovell<belovell at cisco.com> wrote:
>>
>>> The code path for MLS netflow versus software netflow is not the
>>> same. For
>>> MLS netflow the export records are created by the DFC/PFC so it's
>>> not
>>> surprising that they act differently than "locally generated"
>>> traffic.
>>>
>>
>> I'm not surprised that the flows are created by different
>> 'entities' inside
>> the 6500. Another evidence is the fact that mls record are created
>> with a
>> source port different than the software created records.
>> I just found it unexpected that this 'entity' was considered
>> external by the
>> point of view of the ACL. Once you know it, I can punch an hole in
>> the ACL,
>> but wanted to be sure this is expected and not actually a bug of
>> some sort
>> (in the software or in the documentation! ;)
>>
>> Thanks!
>> ]\/[arco
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list