[c-nsp] ASR920: egress ACL on BDIs

Gert Doering gert at greenie.muc.de
Sun Jan 19 06:22:39 EST 2020 

Hi,

replying to myself with a few... interesting... discoveries we've made
in the meantime...

On Mon, Dec 30, 2019 at 11:57:54AM +0100, Gert Doering wrote:
> quick question to the group - ACLs on BDIs on ASR920s, is this something
> known as something you want to stay away from?

TAC was not exactly helpful ("can you add a line to that ACL, and take
another one away, does it work now?" - I'm still waiting for a single
"let's see what is programmed in the hardware!" question...) - but that
uncovered quite an interesting effect...

Namely:

 - if I type in the ACL in question, line by line (or remove and re-add
   the non-working line from "conf term") things *work*

 - if I "bulk-config" the ACL by "copy tftp:$source running-config" or
   "rcp $source router:running-config" - which is what our ACL provisioning
   tool uses - things *fail*

So my gut says "it's related to the speed of updates" - push in changes
too fast (like, 100 lines in basically "a single instant"), and "something 
gets overrun".  We've now changed our ACL uploader to use SSH and put
the ACLs in line by line, and that seems to have fixed it for v4.  Maybe.


Now, IPv6 ACLs are not working right either, but they fail in different
ways - short ACLs seem to be working right, long ACLs fail-open, as in
"the platform claims it has been programmed, but all packets pass".  Yay.

Haven't figured out the trigger on that one yet - like "a certain
combination of protocol/port matches creates a pass-all rule instead"
(but didn't have much time).  Should be somewhat easy to bisect, "just
need time"...

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20200119/bcc12c83/attachment.sig>

More information about the cisco-nsp mailing list