[c-nsp] Weird ACL behaviour
Rodney Dunn
rodunn at cisco.com
Fri Jun 18 09:52:49 EDT 2010
Ben forgot to mention the development engineers are porting it over to
the SR train for 7600 as it was one they missed in the cross port of
applicable fixes.
Rodney
On 6/17/10 1:19 PM, Marco Matarazzo wrote:
> Fantastic Ben, looks like you catched it! Will punch an hole in the ACL,
> waiting for the next software upgrade cycle then!
>
> Cheers,
> ]\/[arco
>
> On Thu, Jun 17, 2010 at 6:38 PM, Benjamin Lovell<belovell at cisco.com> wrote:
>
>> Marco,
>>
>> This looks like
>> CSCtc54878 NDE direct export packets are checked by egress ACL
>>
>> When the packets are exported by the SP(MLS netflow) the flag for hardware
>> to ignore ACL checks is not set. Fixed in SXI4.
>>
>> -Ben
>>
>>
>>
>> On Jun 17, 2010, at 11:52 AM, Rodney Dunn wrote:
>>
>> If it is an inconsistency in implementation between the software and
>>> hardware generated records it should be clearly articulated as a gotcha in
>>> the configuration guide. Ben is checking on both parts for us.
>>>
>>> Rodney
>>>
>>>
>>>
>>> On 6/17/10 11:15 AM, Marco Matarazzo wrote:
>>>
>>>> On Thu, Jun 17, 2010 at 4:29 PM, Benjamin Lovell<belovell at cisco.com>
>>>> wrote:
>>>>
>>>> The code path for MLS netflow versus software netflow is not the same.
>>>>> For
>>>>> MLS netflow the export records are created by the DFC/PFC so it's not
>>>>> surprising that they act differently than "locally generated" traffic.
>>>>>
>>>>>
>>>> I'm not surprised that the flows are created by different 'entities'
>>>> inside
>>>> the 6500. Another evidence is the fact that mls record are created with
>>>> a
>>>> source port different than the software created records.
>>>> I just found it unexpected that this 'entity' was considered external by
>>>> the
>>>> point of view of the ACL. Once you know it, I can punch an hole in the
>>>> ACL,
>>>> but wanted to be sure this is expected and not actually a bug of some
>>>> sort
>>>> (in the software or in the documentation! ;)
>>>>
>>>> Thanks!
>>>> ]\/[arco
>>>>
>>> _______________________________________________
>>>
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>
>
>
More information about the cisco-nsp
mailing list