Netflow bug on 3-GE cards (Trident) in Cisco GSRs

David Sinn dsinn at
Mon Jul 23 17:42:26 UTC 2001

I beg to differ.

As a former employee of Cisco, you comments about ACL's on E0 and E1
cards are totally off base.  I'm not sure where you got this
"information", but it is most certainly not the case.

Standard ACL's & Extended ACL's have been supported by the E0's and E1's
that were released in 12.0(5)S (most) and 12.0(6)S (2 port OC-12 DPT)
versions of IOS.  This includes the 8 port FE and 1 port GE cards.  This
includes support by the development organization that oversees software
on the GSR, and by the TAC.  (Whether the TAC engineer is capable of
supporting you is another issue.)

Turbo ACL's were added in 12.0(6)S for all E0 and E1 cards that were out
at the time.

One correct point in your statement is that newer rev's of software are
better at not allowing you to implement ACL's on interfaces that the
hardware/software doesn't support.  This includes ACL's, NetFlow, CAR,
and others.

Further there is no E2 based 10xGIGE card.  The E2 is only a 2.5Gig
engine, so you can at MOST run 1/4 line rate, and they aren't that
crazy.  Did you mean the E4/E4+ based cards that are in development?


-----Original Message-----
From: Andrew C. Ohnstad [mailto:andrewo at] 
Sent: Monday, July 23, 2001 7:20 AM
To: Mikael Abrahamsson
Cc: nanog at
Subject: Re: Netflow bug on 3-GE cards (Trident) in Cisco GSRs

On Sat, Jul 21, 2001 at 09:37:36AM +0200, Mikael Abrahamsson wrote:
> On Fri, 20 Jul 2001, Dani Roisman wrote:
> > Turns out you can only run netflow on the first port of a 3-GigE
> > on the current S-tract software rev.  If you have been struggling
> > this as well, I'm eager to hear about it off-list.
> In 12.0.15S you cannot use access-lists on subinterface on the 3GE
> Wonder if that's a software bug too, or hardware limitation (like the
> difference on the 3GE compared to the 1GE).

Actually Cisco has never supported ACLs on Engine 0 or Engine 1 cards in

the GSR.  Used to be that you could apply those ACLs, but they were 
implemented by the router very erratically.  Cisco finally removed the 
ability to apply ACLs to an ineligible interface because the TAC was
of telling people "it's not supported, even though it's there."

Best wait another 6 months for the Engine 2 10xGIGE card which will 
support ACLs, or change to/add something from the 7xxx platform.  
DownReving the router isn't really an option, like I said because the
never really worked right anyway.  I don't remember the exact details (I

can get them if anyone wants) but I believe it did something like 
arbitrarily testing random packets with random rules, whereas some 
packets would get thru without being checked at all.


More information about the NANOG mailing list