Marco,
This looks like
CSCtc54878 NDE direct export packets are checked by egress ACL
When the packets are exported by the SP(MLS netflow) the flag for
hardware to ignore ACL checks is not set. Fixed in SXI4.
-Ben
On Jun 17, 2010, at 11:52 AM, Rodney Dunn wrote:
If it is an inconsistency in implementation between the software and
hardware generated records it should be clearly articulated as a
gotcha in the configuration guide. Ben is checking on both parts for
us.
Rodney
On 6/17/10 11:15 AM, Marco Matarazzo wrote:
On Thu, Jun 17, 2010 at 4:29 PM, Benjamin
Lovell<[email protected]> wrote:
The code path for MLS netflow versus software netflow is not the
same. For
MLS netflow the export records are created by the DFC/PFC so it's
not
surprising that they act differently than "locally generated"
traffic.
I'm not surprised that the flows are created by different
'entities' inside
the 6500. Another evidence is the fact that mls record are created
with a
source port different than the software created records.
I just found it unexpected that this 'entity' was considered
external by the
point of view of the ACL. Once you know it, I can punch an hole in
the ACL,
but wanted to be sure this is expected and not actually a bug of
some sort
(in the software or in the documentation! ;)
Thanks!
]\/[arco
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
