[c-nsp] Sup720 SVI ACL deny punted? (no logging)

Brian Turnbow b.turnbow at twt.it
Wed Aug 29 07:09:58 EDT 2012 

A couple of ideas

1 to generate an ip unreachable ? try disabling them on the SVI
2 I remember something about acl and netflow (punts to create flows) but it was sup-2. I'm not sure if it still applies to sup-720

Brian 


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Peter Rathlev
> Sent: mercoledì 29 agosto 2012 11:18
> To: cisco-nsp
> Subject: [c-nsp] Sup720 SVI ACL deny punted? (no logging)
> 
> Good morning all,
> 
> I'm stumped researching a slightly overloaded Supervisor 720 on one of our
> aggregation devices. I've discovered that an access-list applied to a SVI
> means denied packets are punted to the CPU. There's no log statement. The
> packets have no IP options, TTL=64, DSCP=0x28 and frame length 60 bytes.
> 
> When I create an ERSPAN session capturing "source cpu rp tx" I see all the
> packets that are denied. As soon as I remove the ACL from the SVI I don't
> see the packets. (They destination host does not exist but the network in
> question is not connected to this device.)
> 
> Shouldn't the Sup720 always be able to deny things in hardware? Does
> anybody know how to see exactly why the packets are punted?
> 
> Example packet captured via ERSPAN:
> 
>  10:59:30.790477 00:1e:ca:ed:45:7f > 00:00:0c:07:ac:02, ethertype IPv4
> (0x0800), length 60:
>     (tos 0xa0, ttl  64, id 8722, offset 0, flags [none], proto: UDP (17),
> length: 41)
>     192.0.2.205.5001 > 203.0.113.40.5000: UDP, length 13
> 
> Configuration and output from show commands follows, addresses replaced:
> 
> 
> ip access-list extended petrat-telefoni-temp
>  deny   ip any host 198.51.100.10
>  deny   ip any host 203.0.113.40
>  permit ip any any
> !
> interface Vlan41
>  description SKS IP-telefoner
>  ip vrf forwarding TDC02401
>  ip address 192.0.2.2 255.255.255.0
>  ip access-group petrat-telefoni-temp in  ip helper-address 172.
>  ip helper-address 10.85.45.30
>  no ip redirects
>  no ip proxy-arp
>  ip flow ingress
>  ntp disable
>  standby 2 ip 192.0.2.1
>  standby 2 timers 1 3
>  standby 2 priority 140
>  standby 2 preempt delay minimum 20 reload 300  standby 2 authentication
> md5 key-string 7 <hidden>  standby 2 track 1 decrement 50  standby 2 track
> 5 decrement 50  hold-queue 256 in !
> 
> 
> Switch#sh tcam interface vlan41 acl in ip detail
> * Global Defaults not shared
> 
> ---------------------------------------------------------------------------
> ----------------------------------------
> DPort - Destination Port   SPort - Source Port        TCP-F - U -URG
> Pro   - Protocol
> I     - Inverted LOU       TOS   - TOS Value                - A -ACK
> rtr   - Router
> MRFM  - M -MPLS Packet     TN    - T -Tcp Control           - P -PSH
> COD   - C -Bank Care Flag
>       - R -Recirc. Flag          - N -Non-cachable          - R -RST
> - I -OrdIndep. Flag
>       - F -Fragment Flag   CAP   - Capture Flag             - S -SYN
> - D -Dynamic Flag
>       - M -More Fragments  F-P   - FlowMask-Prior.          - F -FIN
> T     - V(Value)/M(Mask)/R(Result)
> X     - XTAG               (*)   - Bank Priority
> ---------------------------------------------------------------------------
> ----------------------------------------
> 
> 
> 
> 
> Interface: 41   label: 6   lookup_type: 0
> protocol: IP   packet-type: 0
> 
> +-+-----+---------------+---------------+---------------+---------------+--
> -----+---+----+-+---+--+---+---+
> |T|Index|  Dest Ip Addr | Source Ip Addr|     DPort     |     SPort     |
> TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
> +-+-----+---------------+---------------+---------------+---------------+--
> -----+---+----+-+---+--+---+---+
> 
> Entries from Bank 0
> 
>  V 18396         0.0.0.0         0.0.0.0       P=0             P=0        -
> -----   0 ---- 0   0 -- --- 0-0
>  M 18404         0.0.0.0         0.0.0.0         0               0        -
> -----   0 ---- 0   0
>  R rslt: L3_DENY_RESULT                rtr_rslt: L3_DENY_RESULT
> hit_cnt=0
> 
> 
> Entries from Bank 1
> 
>  V 36141   198.51.100.10         0.0.0.0       P=0             P=0        -
> -----   0 ---- 0   0 -- C-- 1-0
>  M 36143 255.255.255.255         0.0.0.0         0               0        -
> -----   0 ---- 0   0
>  R rslt: L3_DENY_RESULT (*)            rtr_rslt: L3_DENY_RESULT (*)
> hit_cnt=0
> 
>  V 36142    203.0.113.40         0.0.0.0       P=0             P=0        -
> -----   0 ---- 0   0 -- C-- 1-0  <-
>  M 36143 255.255.255.255         0.0.0.0         0               0        -
> -----   0 ---- 0   0             <-
>  R rslt: L3_DENY_RESULT (*)            rtr_rslt: L3_DENY_RESULT (*)
> hit_cnt=4073  <-
> 
>  V 36304         0.0.0.0         0.0.0.0       P=0             P=0        -
> -----   0 ---- 0   0 -- C-- 1-0  <-
>  M 36305         0.0.0.0         0.0.0.0         0               0        -
> -----   0 ---- 0   0             <-
>  R rslt: PERMIT_RESULT (*)             rtr_rslt: PERMIT_RESULT (*)
> hit_cnt=197546  <-
> 
>  V 36828         0.0.0.0         0.0.0.0       P=0             P=0        -
> -----   0 ---- 0   0 -- --- 0-0
>  M 36836         0.0.0.0         0.0.0.0         0               0        -
> -----   0 ---- 0   0
>  R rslt: L3_DENY_RESULT (*)            rtr_rslt: L3_DENY_RESULT (*)
> hit_cnt=231
> 
> 
> Switch#
> 
> Any pointers appreciated. :-)
> 
> --
> Peter
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


---
This e-mail is intended only for the addressee named above. 
As this e-mail may contain confidential or privileged information, 
if you are not the named addressee, you are not authorized to retain, read, 
copy or disseminate this message or any part of it.   
 
Please consider your environmental responsibility before printing this e-mail.

More information about the cisco-nsp mailing list