[c-nsp] Sup720 SVI ACL deny punted? (no logging)

Peter Rathlev peter at rathlev.dk
Wed Aug 29 09:35:57 EDT 2012


On Wed, 2012-08-29 at 11:09 +0000, Brian Turnbow wrote:
> 1 to generate an ip unreachable ? try disabling them on the SVI

Ahh, interesting idea. We have an ACL drop rate-limiter in place:

 mls rate-limit unicast ip icmp unreachable acl-drop 200 10

When replacing this with "... acl-drop 0" the punting stops. What
puzzles me a little is that putting "no ip unreachables" on the
interface doesn't change the punting, though it correctly makes the
interface not send unreachables.

If we know that the punting is limited to 200 pps it shouldn't matter
too much. I've tried simply removing the ACL to see if the CPU overload
disappears. But why would 200 pps even start making it sweat?

> 2 I remember something about acl and netflow (punts to create flows)
> but it was sup-2. I'm not sure if it still applies to sup-720

I was thinking somethink like this, but haven't been able to find
anything. A "show fm fie interface Vlan41" says FIE_SUCCESS_NO_CONFLICT
both with and without the ACL applied.

I guess the unreachable part is to blame, and I wouldn't want to disable
that anyway.

-- 
Peter




More information about the cisco-nsp mailing list