Catalyst 6500 named ACL applied to L2 port

Unanswered Question
Feb 4th, 2010
User Badges:

Hi guys,

  I have Cat6500 with named ACLs matching L4 traffic configured and applied to L2 port. Software is : (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF5.

  I cannot use PACL as it requires a bit higher revision number software I believe.

  The problem I have is that it looks like that ACL can be applied to L2 port but doesn't seem to do anything, I cannot see any hits on ACL entries.

  Anybody can help me out with identifying the cause of it ? I'm pretty sure both named and numbered ACLs can be applied to L2 port.


many thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Thu, 02/04/2010 - 04:04
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi guys,

  I have Cat6500 with named ACLs matching L4 traffic configured and applied to L2 port. Software is : (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF5.

  I cannot use PACL as it requires a bit higher revision number software I believe.

The problem I have is that it looks like that ACL can be applied to L2 port but doesn't seem to do anything, I cannot see any hits on ACL entries.

  Anybody can help me out with identifying the cause of it ? I'm pretty sure both named and numbered ACLs can be applied to L2 port.


many thanks in advance.



Hi,


Cisco IOS Release 12.2(33)SXH and later releases support PACLs.PACLs filter incoming traffic on Layer 2 interfaces, using Layer 3 information, Layer 4 header information, or non-IP Layer 2 information.


Yes it should work can you share the acl configuration which you have applied on switch.


HTH


Ganesh.H

mgajew Thu, 02/04/2010 - 04:47
User Badges:

Hi Ganesh,

  ACL is pretty simple :


Extended IP access list test
     5 deny ip any any


int fa1/10

interface FastEthernet1/10
switchport
switchport access vlan 10
switchport mode access
no ip address
ip access-group test in


result is that even with this ACL , all traffic is going through - even there are hits on the following :


switch#  sh tcam int fa1/10 acl in ip


* Global Defaults shared



Entries from Bank 0



Entries from Bank 1


    deny         ip any any (730 matches)



traffic is going NOT within the same subnet.

And as you noticed I cannot apply PACL because of lower soft ver which would probably solve the problem, but don't quite follow why Cat allows applying ACL that it doesn't respect ?


Thanks,

Jon Marshall Thu, 02/04/2010 - 04:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

mgajew wrote:


Hi Ganesh,

  ACL is pretty simple :


Extended IP access list test
     5 deny ip any any


int fa1/10

interface FastEthernet1/10
switchport
switchport access vlan 10
switchport mode access
no ip address
ip access-group test in


result is that even with this ACL , all traffic is going through - even there are hits on the following :


switch#  sh tcam int fa1/10 acl in ip


* Global Defaults shared



Entries from Bank 0



Entries from Bank 1


    deny         ip any any (730 matches)



traffic is going NOT within the same subnet.

And as you noticed I cannot apply PACL because of lower soft ver which would probably solve the problem, but don't quite follow why Cat allows applying ACL that it doesn't respect ?


Thanks,


I'm not sure this will work. SXF train allows an acl to be applied to a L3 port only ie. there is no mention of it being applied to a L2 port. I suspect it let you do it simply because the code is there for L3 routed ports.


As you say only when you get to SXH does it allow you to apply an acl to a L2 port.


Jon

Jon Marshall Thu, 02/04/2010 - 04:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

mgajew wrote:


Hi guys,

  I have Cat6500 with named ACLs matching L4 traffic configured and applied to L2 port. Software is : (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF5.

  I cannot use PACL as it requires a bit higher revision number software I believe.

  The problem I have is that it looks like that ACL can be applied to L2 port but doesn't seem to do anything, I cannot see any hits on ACL entries.

  Anybody can help me out with identifying the cause of it ? I'm pretty sure both named and numbered ACLs can be applied to L2 port.


many thanks in advance.


When you say you don't see any hits, that is normal for a 6500 because packets are processed in hardware so acl hitcounts are not incremented. If the packet was processed in software then you would indeed see acl hits.


So the more important question is does the acl actually restrict the traffic or not ?


Jon

Actions

This Discussion