RE: Netflow bug on 3-GE cards (Trident) in Cisco GSRs
I beg to differ. As a former employee of Cisco, you comments about ACL's on E0 and E1 cards are totally off base. I'm not sure where you got this "information", but it is most certainly not the case. Standard ACL's & Extended ACL's have been supported by the E0's and E1's that were released in 12.0(5)S (most) and 12.0(6)S (2 port OC-12 DPT) versions of IOS. This includes the 8 port FE and 1 port GE cards. This includes support by the development organization that oversees software on the GSR, and by the TAC. (Whether the TAC engineer is capable of supporting you is another issue.) Turbo ACL's were added in 12.0(6)S for all E0 and E1 cards that were out at the time. One correct point in your statement is that newer rev's of software are better at not allowing you to implement ACL's on interfaces that the hardware/software doesn't support. This includes ACL's, NetFlow, CAR, and others. Further there is no E2 based 10xGIGE card. The E2 is only a 2.5Gig engine, so you can at MOST run 1/4 line rate, and they aren't that crazy. Did you mean the E4/E4+ based cards that are in development? David -----Original Message----- From: Andrew C. Ohnstad [mailto:andrewo@gblx.net] Sent: Monday, July 23, 2001 7:20 AM To: Mikael Abrahamsson Cc: nanog@merit.org Subject: Re: Netflow bug on 3-GE cards (Trident) in Cisco GSRs On Sat, Jul 21, 2001 at 09:37:36AM +0200, Mikael Abrahamsson wrote:
On Fri, 20 Jul 2001, Dani Roisman wrote:
Turns out you can only run netflow on the first port of a 3-GigE
port
on the current S-tract software rev. If you have been struggling with this as well, I'm eager to hear about it off-list.
In 12.0.15S you cannot use access-lists on subinterface on the 3GE either. Wonder if that's a software bug too, or hardware limitation (like the MTU difference on the 3GE compared to the 1GE).
Actually Cisco has never supported ACLs on Engine 0 or Engine 1 cards in the GSR. Used to be that you could apply those ACLs, but they were implemented by the router very erratically. Cisco finally removed the ability to apply ACLs to an ineligible interface because the TAC was tired of telling people "it's not supported, even though it's there." Best wait another 6 months for the Engine 2 10xGIGE card which will support ACLs, or change to/add something from the 7xxx platform. DownReving the router isn't really an option, like I said because the ACLs never really worked right anyway. I don't remember the exact details (I can get them if anyone wants) but I believe it did something like arbitrarily testing random packets with random rules, whereas some packets would get thru without being checked at all. -- =-=andrewo
On Mon, Jul 23, 2001 at 10:42:26AM -0700, David Sinn wrote:
I beg to differ.
As a former employee of Cisco, you comments about ACL's on E0 and E1 cards are totally off base. I'm not sure where you got this "information", but it is most certainly not the case.
Standard ACL's & Extended ACL's have been supported by the E0's and E1's that were released in 12.0(5)S (most) and 12.0(6)S (2 port OC-12 DPT) versions of IOS. This includes the 8 port FE and 1 port GE cards. This includes support by the development organization that oversees software on the GSR, and by the TAC. (Whether the TAC engineer is capable of supporting you is another issue.)
I apologize, I made a couple mistakes in my response. ACLs are not supported on E0 and E1 Gig/FE cards. You used to be able to do them anyways, but they didn't work. They were removed in recient releases. They will be supported by (and re-enabled on) the Engine3 10 port GigE cards under development. We found this out the hard way when we upgraded a pair of GSR with GigE "DMZ" type interfaces behind it. We had to scramble to install a 7xxx series routers to serve as dedicated DMZ routers and do the ACLs on them. -- =-=andrewo
On Mon, Jul 23, 2001 at 02:11:36PM -0400, Andrew C. Ohnstad wrote:
On Mon, Jul 23, 2001 at 10:42:26AM -0700, David Sinn wrote:
I beg to differ.
As a former employee of Cisco, you comments about ACL's on E0 and E1 cards are totally off base. I'm not sure where you got this "information", but it is most certainly not the case.
Standard ACL's & Extended ACL's have been supported by the E0's and E1's that were released in 12.0(5)S (most) and 12.0(6)S (2 port OC-12 DPT) versions of IOS. This includes the 8 port FE and 1 port GE cards. This includes support by the development organization that oversees software on the GSR, and by the TAC. (Whether the TAC engineer is capable of supporting you is another issue.)
I apologize, I made a couple mistakes in my response. ACLs are not supported on E0 and E1 Gig/FE cards.
They are not supported on (802.1q/ISL) sub interfaces, but they are supported on the physical interface. /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Work: Network manager @ AS3292 (Tele Danmark DataNetworks) Private: FreeBSD committer @ AS2109 (A much smaller network ;-) One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them.
participants (3)
-
Andrew C. Ohnstad
-
David Sinn
-
Jesper Skriver