On Thu, Mar 25, 2010 at 12:22 PM, Rodney Dunn <[email protected]> wrote: > Yep...that's it: > > Release-note > ============ > > When a packet is destined to an next hop that doesn't already > have an ARP entry, the packet needs to be punted from the hardware > datapath up to the CPU. When the glean adjacency rate-limiter is > enabled, the egress security ACL (and egress QoS) of the ingress > interface is applied on these punted packets. > > The current workaround is to either relax the egress security ACLs > of ports facing PCs/servers (ports facing only routers are not a > problem since routing protocols guarantee that ARP entries always > exist for routers), or disable the glean adjacency rate-limiter.
But it's fixed, right? CSCed75920 says: Fixed-In 12.2(17d)SXB1 12.2(18)SXD (I really want to police all ip at the end of my CoPP policy, and the mls glean rate-limiter appears to allow me to do that.) -- Tim:> _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
