Mailing List Archive: [nsp] ACL leakage on VIP4

[nsp] ACL leakage on VIP4

Oct 11, 2002, 10:55 AM

Post #1 of 3 (1038 views)

Folks,

Last week we discovered that traffic was leaking past our ACLs on our
campus entrance router. The leakage occurred on our 7507 for traffic
flowing through a VIP4-80 (OC-12 PA) linecard using named access lists.
We're running 12.0(19)S2.

The simple act of removing the named access list and reapplying it halted
the leakage, and it has not (yet) reoccurred. Cisco acknowledged a
previous report of this problem, which has a bugid: CSCdw75195

The bug report suggests the combination of VIP, named access lists, and
distributed CEF may be a factor. Of possible note is that when logged
into the VIP, running 'show access-list' returns all the standard and
extended access lists, but doesn't show any of the named access lists.
We are using compiled access lists. Still waiting to hear from Cisco on
the signficance of this.

Has anyone else seen this?

mb
---
Mark Boolootian
UC Santa Cruz

Re: [nsp] ACL leakage on VIP4 [ In reply to ]

hank at att

Oct 12, 2002, 11:31 PM

Post #2 of 3 (998 views)

Permalink

At 10:55 AM 11-10-02 -0700, Mark Boolootian wrote:

We had a case where named ACL broke PBR and pkts that were supposed to be
routed to interface #1 were actually routed to interface #2. Switching to
numbered ACL bypassed the problem.

-Hank

>Folks,
>
>Last week we discovered that traffic was leaking past our ACLs on our
>campus entrance router. The leakage occurred on our 7507 for traffic
>flowing through a VIP4-80 (OC-12 PA) linecard using named access lists.
>We're running 12.0(19)S2.
>
>The simple act of removing the named access list and reapplying it halted
>the leakage, and it has not (yet) reoccurred. Cisco acknowledged a
>previous report of this problem, which has a bugid: CSCdw75195
>
>The bug report suggests the combination of VIP, named access lists, and
>distributed CEF may be a factor. Of possible note is that when logged
>into the VIP, running 'show access-list' returns all the standard and
>extended access lists, but doesn't show any of the named access lists.
>We are using compiled access lists. Still waiting to hear from Cisco on
>the signficance of this.
>
>Has anyone else seen this?
>
>mb
>---
>Mark Boolootian
>UC Santa Cruz
>_______________________________________________
>cisco-nsp mailing list real_name)s@puck.nether.net
>http://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [nsp] ACL leakage on VIP4 [ In reply to ]

rkjnsp at ieg

Oct 13, 2002, 1:03 AM

Post #3 of 3 (1002 views)

Permalink

I've seen serious performance issues with named ACLs on 7500/VIP/dCEF,
12.0(xx)S train; using numbered ACLs worked like a charm.
Rule of thumb: use numbered ACLs on 7500, use named ACLs on Cat6K/7600.

Rubens

----- Original Message -----
From: "Mark Boolootian" <booloo@cats.ucsc.edu>
To: <cisco-nsp@puck.nether.net>
Sent: Friday, October 11, 2002 2:55 PM
Subject: [nsp] ACL leakage on VIP4

| Last week we discovered that traffic was leaking past our ACLs on our
| campus entrance router. The leakage occurred on our 7507 for traffic
| flowing through a VIP4-80 (OC-12 PA) linecard using named access lists.
| We're running 12.0(19)S2.
|
| The simple act of removing the named access list and reapplying it halted
| the leakage, and it has not (yet) reoccurred. Cisco acknowledged a
| previous report of this problem, which has a bugid: CSCdw75195
|
| The bug report suggests the combination of VIP, named access lists, and
| distributed CEF may be a factor. Of possible note is that when logged
| into the VIP, running 'show access-list' returns all the standard and
| extended access lists, but doesn't show any of the named access lists.
| We are using compiled access lists. Still waiting to hear from Cisco on
| the signficance of this.
|
| Has anyone else seen this?
|
| mb
| ---
| Mark Boolootian
| UC Santa Cruz
| _______________________________________________
| cisco-nsp mailing list real_name)s@puck.nether.net
| http://puck.nether.net/mailman/listinfo/cisco-nsp
| archive at http://puck.nether.net/pipermail/cisco-nsp/