[c-nsp] Weird ACL behaviour

Benjamin Lovell belovell at cisco.com
Thu Jun 17 12:38:17 EDT 2010


Marco,

This looks like
CSCtc54878    NDE direct export packets are checked by egress ACL

When the packets are exported by the SP(MLS netflow) the flag for  
hardware to ignore ACL checks is not set. Fixed in SXI4.

-Ben


On Jun 17, 2010, at 11:52 AM, Rodney Dunn wrote:

> If it is an inconsistency in implementation between the software and  
> hardware generated records it should be clearly articulated as a  
> gotcha in the configuration guide. Ben is checking on both parts for  
> us.
>
> Rodney
>
>
>
> On 6/17/10 11:15 AM, Marco Matarazzo wrote:
>> On Thu, Jun 17, 2010 at 4:29 PM, Benjamin  
>> Lovell<belovell at cisco.com>  wrote:
>>
>>> The code path for MLS netflow versus software netflow is not the  
>>> same. For
>>> MLS netflow the export records are created by the DFC/PFC so it's  
>>> not
>>> surprising that they act differently than "locally generated"  
>>> traffic.
>>>
>>
>> I'm not surprised that the flows are created by different  
>> 'entities' inside
>> the 6500. Another evidence is the fact that mls  record are created  
>> with a
>> source port different than the software created records.
>> I just found it unexpected that this 'entity' was considered  
>> external by the
>> point of view of the ACL. Once you know it, I can punch an hole in  
>> the ACL,
>> but wanted to be sure this is expected and not actually a bug of  
>> some sort
>> (in the software or in the documentation! ;)
>>
>> Thanks!
>> ]\/[arco
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list