[c-nsp] ASR920: egress ACL on BDIs

Gert Doering gert at greenie.muc.de
Sun Jan 19 07:53:17 EST 2020


On Mon, Jan 20, 2020 at 12:28:25AM +1300, Nathan Ward wrote:
> > On 20/01/2020, at 12:22 AM, Gert Doering <gert at greenie.muc.de> wrote:
> > 
> > Now, IPv6 ACLs are not working right either, but they fail in different
> > ways - short ACLs seem to be working right, long ACLs fail-open, as in
> > "the platform claims it has been programmed, but all packets pass".  Yay.
> This is what happens on J ACX boxes.. stunningly bad behaviour :-(

Ewww.  Does it at least warn in a clearly visible way?

Our Aristas also like to run out of TCAM, but if that happens, a very
clear message is printed *and* the ACL config is not applied to the
interface (= you can see it in your RANCID diffs).


"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert at greenie.muc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20200119/2d0c3b43/attachment.sig>

More information about the cisco-nsp mailing list