[c-nsp] ASR920: egress ACL on BDIs

Christian Meutes christian at errxtx.net
Sun Jan 19 06:39:18 EST 2020


On Sun 19. Jan 2020 at 12:23, Gert Doering <gert at greenie.muc.de> wrote:

> replying to myself with a few... interesting... discoveries we've made
> in the meantime...
> On Mon, Dec 30, 2019 at 11:57:54AM +0100, Gert Doering wrote:
> > quick question to the group - ACLs on BDIs on ASR920s, is this something
> > known as something you want to stay away from?
> TAC was not exactly helpful ("can you add a line to that ACL, and take
> another one away, does it work now?" - I'm still waiting for a single
> "let's see what is programmed in the hardware!" question...) - but that
> uncovered quite an interesting effect...
> Namely:
>  - if I type in the ACL in question, line by line (or remove and re-add
>    the non-working line from "conf term") things *work*
>  - if I "bulk-config" the ACL by "copy tftp:$source running-config" or
>    "rcp $source router:running-config" - which is what our ACL provisioning
>    tool uses - things *fail*
> So my gut says "it's related to the speed of updates" - push in changes
> too fast (like, 100 lines in basically "a single instant"), and "something
> gets overrun".  We've now changed our ACL uploader to use SSH and put
> the ACLs in line by line, and that seems to have fixed it for v4.  Maybe.
> Now, IPv6 ACLs are not working right either, but they fail in different
> ways - short ACLs seem to be working right, long ACLs fail-open, as in
> "the platform claims it has been programmed, but all packets pass".  Yay.
> Haven't figured out the trigger on that one yet - like "a certain
> combination of protocol/port matches creates a pass-all rule instead"
> (but didn't have much time).  Should be somewhat easy to bisect, "just
> need time"...

if you use „copy src dst“ then a „no $something“ line right in the
beginning of a new block of configuration lines (eg. for being used to
first deconfigure the whole ACL block and then to reapply it again) might
miss to apply the „no ...“ initially first, which will lead to a merge
behavior instead of a full ACL replace.

This bug not only affects ACLs but other commands as well. Unsure if it is
fixed in newest XE versions. Could this also affect you?



More information about the cisco-nsp mailing list