What are your mls rate limiters set for, including the no-route one? Jared Mauch
On Aug 29, 2012, at 5:17 AM, Peter Rathlev <[email protected]> wrote: > Good morning all, > > I'm stumped researching a slightly overloaded Supervisor 720 on one of > our aggregation devices. I've discovered that an access-list applied to > a SVI means denied packets are punted to the CPU. There's no log > statement. The packets have no IP options, TTL=64, DSCP=0x28 and frame > length 60 bytes. > > When I create an ERSPAN session capturing "source cpu rp tx" I see all > the packets that are denied. As soon as I remove the ACL from the SVI I > don't see the packets. (They destination host does not exist but the > network in question is not connected to this device.) > > Shouldn't the Sup720 always be able to deny things in hardware? Does > anybody know how to see exactly why the packets are punted? > > Example packet captured via ERSPAN: > > 10:59:30.790477 00:1e:ca:ed:45:7f > 00:00:0c:07:ac:02, ethertype IPv4 > (0x0800), length 60: > (tos 0xa0, ttl 64, id 8722, offset 0, flags [none], proto: UDP (17), > length: 41) > 192.0.2.205.5001 > 203.0.113.40.5000: UDP, length 13 > > Configuration and output from show commands follows, addresses replaced: > > > ip access-list extended petrat-telefoni-temp > deny ip any host 198.51.100.10 > deny ip any host 203.0.113.40 > permit ip any any > ! > interface Vlan41 > description SKS IP-telefoner > ip vrf forwarding TDC02401 > ip address 192.0.2.2 255.255.255.0 > ip access-group petrat-telefoni-temp in > ip helper-address 172. > ip helper-address 10.85.45.30 > no ip redirects > no ip proxy-arp > ip flow ingress > ntp disable > standby 2 ip 192.0.2.1 > standby 2 timers 1 3 > standby 2 priority 140 > standby 2 preempt delay minimum 20 reload 300 > standby 2 authentication md5 key-string 7 <hidden> > standby 2 track 1 decrement 50 > standby 2 track 5 decrement 50 > hold-queue 256 in > ! > > > Switch#sh tcam interface vlan41 acl in ip detail > * Global Defaults not shared > > ------------------------------------------------------------------------------------------------------------------- > DPort - Destination Port SPort - Source Port TCP-F - U -URG > Pro - Protocol > I - Inverted LOU TOS - TOS Value - A -ACK > rtr - Router > MRFM - M -MPLS Packet TN - T -Tcp Control - P -PSH > COD - C -Bank Care Flag > - R -Recirc. Flag - N -Non-cachable - R -RST > - I -OrdIndep. Flag > - F -Fragment Flag CAP - Capture Flag - S -SYN > - D -Dynamic Flag > - M -More Fragments F-P - FlowMask-Prior. - F -FIN > T - V(Value)/M(Mask)/R(Result) > X - XTAG (*) - Bank Priority > ------------------------------------------------------------------------------------------------------------------- > > > > > Interface: 41 label: 6 lookup_type: 0 > protocol: IP packet-type: 0 > > +-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+ > |T|Index| Dest Ip Addr | Source Ip Addr| DPort | SPort | > TCP-F |Pro|MRFM|X|TOS|TN|COD|F-P| > +-+-----+---------------+---------------+---------------+---------------+-------+---+----+-+---+--+---+---+ > > Entries from Bank 0 > > V 18396 0.0.0.0 0.0.0.0 P=0 P=0 > ------ 0 ---- 0 0 -- --- 0-0 > M 18404 0.0.0.0 0.0.0.0 0 0 > ------ 0 ---- 0 0 > R rslt: L3_DENY_RESULT rtr_rslt: L3_DENY_RESULT > hit_cnt=0 > > > Entries from Bank 1 > > V 36141 198.51.100.10 0.0.0.0 P=0 P=0 > ------ 0 ---- 0 0 -- C-- 1-0 > M 36143 255.255.255.255 0.0.0.0 0 0 > ------ 0 ---- 0 0 > R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) > hit_cnt=0 > > V 36142 203.0.113.40 0.0.0.0 P=0 P=0 > ------ 0 ---- 0 0 -- C-- 1-0 <- > M 36143 255.255.255.255 0.0.0.0 0 0 > ------ 0 ---- 0 0 <- > R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) > hit_cnt=4073 <- > > V 36304 0.0.0.0 0.0.0.0 P=0 P=0 > ------ 0 ---- 0 0 -- C-- 1-0 <- > M 36305 0.0.0.0 0.0.0.0 0 0 > ------ 0 ---- 0 0 <- > R rslt: PERMIT_RESULT (*) rtr_rslt: PERMIT_RESULT (*) > hit_cnt=197546 <- > > V 36828 0.0.0.0 0.0.0.0 P=0 P=0 > ------ 0 ---- 0 0 -- --- 0-0 > M 36836 0.0.0.0 0.0.0.0 0 0 > ------ 0 ---- 0 0 > R rslt: L3_DENY_RESULT (*) rtr_rslt: L3_DENY_RESULT (*) > hit_cnt=231 > > > Switch# > > Any pointers appreciated. :-) > > -- > Peter > > > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
