[c-nsp] ACL is not working properly on 7600s
Saku Ytti
saku at ytti.fi
Wed Sep 29 03:30:15 EDT 2010
On (2010-09-29 10:08 +0300), sinan akyıldız wrote:
Hey Sinan,
> I have issues with applying ACL on 7606s. Most of the time I cannot see
> matching packets to the ACL entries and the ACLs are not working as
> expected.
Those are software counters, you should see hardware counters in 'show tcam
interface X acl in|out ip'
> For testing
>
> I have two access-lists
> Extended IP access list 156
> 10 permit icmp any any log
> 20 permit ip any any log
> Extended IP access list 157
> 10 permit icmp any any
> 20 permit ip any any
> When acl 156 applied to the interface (in) it is not possible to ping inside
> from outside. However with ACL 157 pings are successfull.
> Is there any known issues with the ALCS applied on 7600s?
157 would be abstracted away when compiled, as it doesn't do anything.
One reason 156 could break if you are running CoPP also, as log is punted
rate limited to control-plane and in control-plane likely your rules do not
permit arbitrary packets.
--
++ytti
More information about the cisco-nsp
mailing list