[c-nsp] Drop rule at the end of CoPP conflicts with MAC learning

"Rolf Hanßen" nsp at rhanssen.de
Fri Jun 28 09:05:38 EDT 2013


Hi,

no egress ACL.
On the box I tested there is no ACL bound to any interface at all, only
some in copp classes and one for the line vty.

regards
Rolf

> On 28/06/13 13:14, "Rolf Hanßen" wrote:
>> Hello,
>>
>> thanks for the info but that does not help in my case, just tried out.
>>
>> The link confirms:
>> "if traffic matches a special-case rate limiter, it is never compared
>> against the hardware CoPP policy. It will only be compared against the
>> software CoPP policy"
>
> Hmph. That's odd. I thought we had come to the conclusion that MLS
> rate-limiters circumvented *all* CoPP, hardware & software.
>
> Do you have egress ACLs? Have you read this:
>
> http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_m2.html#wp1036022
>
> """
> If you enable the CEF rate limiters, the following behaviors occur (if
> the behavior that is listed is unacceptable, disable the CEF rate
> limiters):
>
> •If a packet hits a glean/receive adjacency, the packet may be dropped
> instead of being sent to the software if there is an output ACL on the
> input VLAN and the matched entry result is deny.
> """
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>




More information about the cisco-nsp mailing list