[c-nsp] Sup2T and sampled netflow with inbound ACL on SVI

Chris Griffin cgriffin at flrnet.org
Thu Feb 5 10:17:46 EST 2015 

Believe it or not, this is [currently] expected behavior:

https://tools.cisco.com/bugsearch/bug/CSCui78690

I haven't seen any movement on fixing [enhancing] this behavior, and it 
makes deploying FNF somewhat dangerous.  Routed subinterfaces or using 
the workaround make work.  I haven't tested them.

Tnx
Chris

On 02/05/2015 07:21 AM, Jiri Prochazka wrote:
> Hi,
>
> I'd like to use sampled netflow and inbound L3 ACL together on SVI on
> Cat7600/Sup2T platform and I am having no luck getting this super-basic
> thing done.
>
> As soon as those two functions are being enabled, inbound traffic gets
> switched in software.
>
> As soon as I do not use either sampled netflow or inbound acl,
> everything works as expected.
>
> But combination of those two results in software switched in software.
>
> Config ->
>
> interface Vlan998
>   description SVI-of-Vlan998
>   ip address 192.168.1.1 255.255.255.252
>   ip access-group acl_deny_in in
>   no ip redirects
>   no ip unreachables
>   no ip proxy-arp
>   ip flow monitor MONITOR-NETWORK-IN sampler SAMPLER input
>
> %FMCORE-4-RACL_REDUCED: Interface Vlan998 routed traffic will be
> software switched in ingress direction.
>          L2 features may not be applied at the interface
>
>
> When I remove either 'ip access-group acl_deny_in in' or 'ip flow
> monitor MONITOR-NETWORK-IN sampler SAMPLER input' I get notofication
> about traffic being switched in hardware. When I use unsampled netflow,
> it works too.
>
> %FMCORE-6-RACL_ENABLED: Interface Vlan998 routed traffic is hardware
> switched in ingress direction
>
>
> The very same setup on L3 interface itself is working absolutely OK.
>
>
> What am I missing?
>
>
>
>
>
> Thanks!
>
>
>
> Jiri
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


-- 
Chris Griffin                           cgriffin at ufl.edu
Network Architect                       Phone: (352) 273-1051
UFIT - Network Services                 Fax:   (352) 392-9440
University of Florida/FLR               Gainesville, FL 32611

More information about the cisco-nsp mailing list