[c-nsp] Sup720 SVI ACL deny punted? (no logging)
Peter Rathlev
peter at rathlev.dk
Wed Aug 29 05:17:59 EDT 2012
Good morning all,
I'm stumped researching a slightly overloaded Supervisor 720 on one of
our aggregation devices. I've discovered that an access-list applied to
a SVI means denied packets are punted to the CPU. There's no log
statement. The packets have no IP options, TTL=64, DSCP=0x28 and frame
length 60 bytes.
When I create an ERSPAN session capturing "source cpu rp tx" I see all
the packets that are denied. As soon as I remove the ACL from the SVI I
don't see the packets. (They destination host does not exist but the
network in question is not connected to this device.)
Shouldn't the Sup720 always be able to deny things in hardware? Does
anybody know how to see exactly why the packets are punted?
Example packet captured via ERSPAN:
10:59:30.790477 00:1e:ca:ed:45:7f > 00:00:0c:07:ac:02, ethertype IPv4 (0x0800), length 60:
(tos 0xa0, ttl 64, id 8722, offset 0, flags [none], proto: UDP (17), length: 41)
192.0.2.205.5001 > 203.0.113.40.5000: UDP, length 13
Configuration and output from show commands follows, addresses replaced:
ip access-list extended petrat-telefoni-temp
deny ip any host 198.51.100.10
deny ip any host 203.0.113.40
permit ip any any
!
interface Vlan41
description SKS IP-telefoner
ip vrf forwarding TDC02401
ip address 192.0.2.2 255.255.255.0
ip access-group petrat-telefoni-temp in
ip helper-address 172.
ip helper-address 10.85.45.30
no ip redirects
no ip proxy-arp
ip flow ingress
ntp disable
standby 2 ip 192.0.2.1
standby 2 timers 1 3
standby 2 priority 140
standby 2 preempt delay minimum 20 reload 300
standby 2 authentication md5 key-string 7 <hidden>
standby 2 track 1 decrement 50
standby 2 track 5 decrement 50
hold-queue 256 in
!
Switch#sh tcam interface vlan41 acl in ip detail
* Global Defaults not shared
-------------------------------------------------------------------------------------------------------------------
DPort - Destination Port SPort - Source Port TCP-F - U -URG Pro - Protocol
I - Inverted LOU TOS - TOS Value - A -ACK rtr - Router
MRFM - M -MPLS Packet TN - T -Tcp Control - P -PSH COD - C -Bank Care Flag
- R -Recirc. Flag - N -Non-cachable - R -RST - I -OrdIndep. Flag
- F -Fragment Flag CAP - Capture Flag - S -SYN - D -Dynamic Flag
- M -More Fragments F-P - FlowMask-Prior. - F -FIN T - V(Value)/M(Mask)/R(Result)
X - XTAG (*) - Bank Priority
-------------------------------------------------------------------------------------------------------------------
Interface: 41 label: 6 lookup_type: 0
protocol: IP packet-type: 0
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
|T|Index| Dest Ip Addr | Source Ip Addr| DPort | SPort | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
+-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
Entries from Bank 0
V 18396 0.0.0.0 0.0.0.0 P=0 P=0 ------ 0 ---- 0 0 -- --- 0-0
M 18404 0.0.0.0 0.0.0.0 0 0 ------ 0 ---- 0 0
R rslt: L3_DENY_RESULT rtr_rslt: L3_DENY_RESULT hit_cnt=0
Entries from Bank 1
V 36141 198.51.100.10 0.0.0.0 P=0 P=0 ------ 0 ---- 0 0 -- C-- 1-0
M 36143 255.255.255.255 0.0.0.0 0 0 ------ 0 ---- 0 0
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=0
V 36142 203.0.113.40 0.0.0.0 P=0 P=0 ------ 0 ---- 0 0 -- C-- 1-0 <-
M 36143 255.255.255.255 0.0.0.0 0 0 ------ 0 ---- 0 0 <-
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=4073 <-
V 36304 0.0.0.0 0.0.0.0 P=0 P=0 ------ 0 ---- 0 0 -- C-- 1-0 <-
M 36305 0.0.0.0 0.0.0.0 0 0 ------ 0 ---- 0 0 <-
R rslt: PERMIT_RESULT (*) rtr_rslt: PERMIT_RESULT (*) hit_cnt=197546 <-
V 36828 0.0.0.0 0.0.0.0 P=0 P=0 ------ 0 ---- 0 0 -- --- 0-0
M 36836 0.0.0.0 0.0.0.0 0 0 ------ 0 ---- 0 0
R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) hit_cnt=231
Switch#
Any pointers appreciated. :-)
--
Peter
More information about the cisco-nsp
mailing list