[c-nsp] ME3600X mLDP
Lukas Tribus
luky-37 at hotmail.com
Fri Jul 10 11:07:50 EDT 2015
>> - all the forwarding logic that is implement in hardware (DON'T
>> rx/tx on STP/REP blocked ports or disabled/not allowed Vlans, DO
>> forward even if the traffic is double tagged, DO forward and bypass
>> security if this feature is not enabled on this particular Vlan/PW,
>> etc.) needs to be replicated in software
>
> But that means they are doing the *snooping* bits wrong in the first
> place already. It shouldn't "grab the packet and give it exclusively
> to the CPU for snooping-and-forwarding" - but forward normally, and
> additionally hand it to the CPU for snooping...
Not sure if I got you there ...
DHCP Snooping is also supposed to drop certain requests/responses, like
a bogus DHCP server on a untrusted port, or inserting option 82 in the
DHCP request. Therefor you can't just forward in hardware and "learn"
the leases in software (like mac address learning), but you have to take
forward/drop/modify decisions in software.
Lukas
More information about the cisco-nsp
mailing list