[c-nsp] VLAN Interfaces and ACLs on a 7600....am I losing my mind?

[Mark Tinka]

On Wednesday, July 11, 2012 11:32:10 PM John Neiberger 
wrote:

> I opened up a TAC case on this and they immediately knew
> what the problem was. We have "platform ip features
> sequential" configured because of the way we use DSCP.
> However, that causes incoming packets to be recirculated
> through whatever processes it runs them through, which
> has the side effect of running them through the SVI.
> Since the SVI has an ACL, that ACL applies to all L2
> traffic on the VLAN if we have "platform ip features
> sequential" configured. I removed it for testing and
> everything immediately began to work. The solution is to
> add a permit statement for traffic staying with the
> VLAN.

I have seen this behaviour on ME3600X's running FCS code, in 
a core switching role where the SVI's are used primarily for 
management access to the switches.

We found that traffic which was being migrated from private 
to public addresses sometimes failed when crossing these 
core switches, as we were filtering RFC 1918 address space 
from being able to access the management interface of these 
switches (IP). What was interesting is that all the blocked 
traffic was transit (Layer 2) traffic, and yet the switch 
acted on Layer 3 information for the payload.

Fixing the ACL's was the solution. I did open a case with 
our SE, but I've since left the company and haven't followed 
up.

I will add that the ME3600X did not support the 'platform ip 
features sequential' command, unless its capability was 
implied, which I'd find off.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20120917/d3d5d6a4/attachment.sig>