[c-nsp] Sup720 SVI ACL deny punted? (no logging)

Jared Mauch jared at puck.nether.net
Wed Aug 29 08:33:57 EDT 2012 

What are your mls rate limiters set for, including the no-route one?

Jared Mauch

On Aug 29, 2012, at 5:17 AM, Peter Rathlev <peter at rathlev.dk> wrote:

> Good morning all,
> 
> I'm stumped researching a slightly overloaded Supervisor 720 on one of
> our aggregation devices. I've discovered that an access-list applied to
> a SVI means denied packets are punted to the CPU. There's no log
> statement. The packets have no IP options, TTL=64, DSCP=0x28 and frame
> length 60 bytes.
> 
> When I create an ERSPAN session capturing "source cpu rp tx" I see all
> the packets that are denied. As soon as I remove the ACL from the SVI I
> don't see the packets. (They destination host does not exist but the
> network in question is not connected to this device.)
> 
> Shouldn't the Sup720 always be able to deny things in hardware? Does
> anybody know how to see exactly why the packets are punted?
> 
> Example packet captured via ERSPAN:
> 
> 10:59:30.790477 00:1e:ca:ed:45:7f > 00:00:0c:07:ac:02, ethertype IPv4 (0x0800), length 60:
>    (tos 0xa0, ttl  64, id 8722, offset 0, flags [none], proto: UDP (17), length: 41)
>    192.0.2.205.5001 > 203.0.113.40.5000: UDP, length 13
> 
> Configuration and output from show commands follows, addresses replaced:
> 
> 
> ip access-list extended petrat-telefoni-temp
> deny   ip any host 198.51.100.10
> deny   ip any host 203.0.113.40
> permit ip any any
> !
> interface Vlan41
> description SKS IP-telefoner
> ip vrf forwarding TDC02401
> ip address 192.0.2.2 255.255.255.0
> ip access-group petrat-telefoni-temp in
> ip helper-address 172.
> ip helper-address 10.85.45.30
> no ip redirects
> no ip proxy-arp
> ip flow ingress
> ntp disable
> standby 2 ip 192.0.2.1
> standby 2 timers 1 3
> standby 2 priority 140
> standby 2 preempt delay minimum 20 reload 300
> standby 2 authentication md5 key-string 7 <hidden>
> standby 2 track 1 decrement 50
> standby 2 track 5 decrement 50
> hold-queue 256 in
> !
> 
> 
> Switch#sh tcam interface vlan41 acl in ip detail 
> * Global Defaults not shared
> 
> -------------------------------------------------------------------------------------------------------------------
> DPort - Destination Port   SPort - Source Port        TCP-F - U -URG             Pro   - Protocol         
> I     - Inverted LOU       TOS   - TOS Value                - A -ACK             rtr   - Router           
> MRFM  - M -MPLS Packet     TN    - T -Tcp Control           - P -PSH             COD   - C -Bank Care Flag
>      - R -Recirc. Flag          - N -Non-cachable          - R -RST                   - I -OrdIndep. Flag
>      - F -Fragment Flag   CAP   - Capture Flag             - S -SYN                   - D -Dynamic Flag  
>      - M -More Fragments  F-P   - FlowMask-Prior.          - F -FIN             T     - V(Value)/M(Mask)/R(Result)
> X     - XTAG               (*)   - Bank Priority      
> -------------------------------------------------------------------------------------------------------------------
> 
> 
> 
> 
> Interface: 41   label: 6   lookup_type: 0
> protocol: IP   packet-type: 0
> 
> +-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
> |T|Index|  Dest Ip Addr | Source Ip Addr|     DPort     |     SPort     | TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P|
> +-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+
> 
> Entries from Bank 0
> 
> V 18396         0.0.0.0         0.0.0.0       P=0             P=0        ------   0 ---- 0   0 -- --- 0-0   
> M 18404         0.0.0.0         0.0.0.0         0               0        ------   0 ---- 0   0              
> R rslt: L3_DENY_RESULT                rtr_rslt: L3_DENY_RESULT                      hit_cnt=0   
> 
> 
> Entries from Bank 1
> 
> V 36141   198.51.100.10         0.0.0.0       P=0             P=0        ------   0 ---- 0   0 -- C-- 1-0   
> M 36143 255.255.255.255         0.0.0.0         0               0        ------   0 ---- 0   0              
> R rslt: L3_DENY_RESULT (*)            rtr_rslt: L3_DENY_RESULT (*)                  hit_cnt=0   
> 
> V 36142    203.0.113.40         0.0.0.0       P=0             P=0        ------   0 ---- 0   0 -- C-- 1-0  <-
> M 36143 255.255.255.255         0.0.0.0         0               0        ------   0 ---- 0   0             <-
> R rslt: L3_DENY_RESULT (*)            rtr_rslt: L3_DENY_RESULT (*)                  hit_cnt=4073  <-
> 
> V 36304         0.0.0.0         0.0.0.0       P=0             P=0        ------   0 ---- 0   0 -- C-- 1-0  <-
> M 36305         0.0.0.0         0.0.0.0         0               0        ------   0 ---- 0   0             <-
> R rslt: PERMIT_RESULT (*)             rtr_rslt: PERMIT_RESULT (*)                   hit_cnt=197546  <-
> 
> V 36828         0.0.0.0         0.0.0.0       P=0             P=0        ------   0 ---- 0   0 -- --- 0-0   
> M 36836         0.0.0.0         0.0.0.0         0               0        ------   0 ---- 0   0              
> R rslt: L3_DENY_RESULT (*)            rtr_rslt: L3_DENY_RESULT (*)                  hit_cnt=231   
> 
> 
> Switch#
> 
> Any pointers appreciated. :-)
> 
> -- 
> Peter
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list