[c-nsp] Weird ACL behaviour

Marco Matarazzo marmata at gmail.com
Thu Jun 17 13:19:50 EDT 2010


Fantastic Ben, looks like you catched it! Will punch an hole in the ACL,
waiting for the next software upgrade cycle then!

Cheers,
]\/[arco

On Thu, Jun 17, 2010 at 6:38 PM, Benjamin Lovell <belovell at cisco.com> wrote:

> Marco,
>
> This looks like
> CSCtc54878    NDE direct export packets are checked by egress ACL
>
> When the packets are exported by the SP(MLS netflow) the flag for hardware
> to ignore ACL checks is not set. Fixed in SXI4.
>
> -Ben
>
>
>
> On Jun 17, 2010, at 11:52 AM, Rodney Dunn wrote:
>
>  If it is an inconsistency in implementation between the software and
>> hardware generated records it should be clearly articulated as a gotcha in
>> the configuration guide. Ben is checking on both parts for us.
>>
>> Rodney
>>
>>
>>
>> On 6/17/10 11:15 AM, Marco Matarazzo wrote:
>>
>>> On Thu, Jun 17, 2010 at 4:29 PM, Benjamin Lovell<belovell at cisco.com>
>>>  wrote:
>>>
>>>  The code path for MLS netflow versus software netflow is not the same.
>>>> For
>>>> MLS netflow the export records are created by the DFC/PFC so it's not
>>>> surprising that they act differently than "locally generated" traffic.
>>>>
>>>>
>>> I'm not surprised that the flows are created by different 'entities'
>>> inside
>>> the 6500. Another evidence is the fact that mls  record are created with
>>> a
>>> source port different than the software created records.
>>> I just found it unexpected that this 'entity' was considered external by
>>> the
>>> point of view of the ACL. Once you know it, I can punch an hole in the
>>> ACL,
>>> but wanted to be sure this is expected and not actually a bug of some
>>> sort
>>> (in the software or in the documentation! ;)
>>>
>>> Thanks!
>>> ]\/[arco
>>>
>> _______________________________________________
>>
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>


-- 
I'm Winston Wolf, I solve problems.


More information about the cisco-nsp mailing list