Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
878
Views
0
Helpful
4
Replies

Catalyst 6500 named ACL applied to L2 port

mgajew
Level 1
Level 1

‎02-04-2010 02:46 AM - edited ‎03-06-2019 09:34 AM

Hi guys,

  I have Cat6500 with named ACLs matching L4 traffic configured and applied to L2 port. Software is : (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF5.

  I cannot use PACL as it requires a bit higher revision number software I believe.

  The problem I have is that it looks like that ACL can be applied to L2 port but doesn't seem to do anything, I cannot see any hits on ACL entries.

  Anybody can help me out with identifying the cause of it ? I'm pretty sure both named and numbered ACLs can be applied to L2 port.

many thanks in advance.

Labels:
0 Helpful
4 Replies 4

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎02-04-2010 04:04 AM 

Hi guys,
  I have Cat6500
with named ACLs matching L4 traffic configured and applied to L2 port.
Software is : (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF5.
  I cannot use PACL as it requires a bit higher revision number software I believe.
 
The problem I have is that it looks like that ACL can be applied to L2
port but doesn't seem to do anything, I cannot see any hits on ACL
entries.
  Anybody can help me out with identifying the cause of
it ? I'm pretty sure both named and numbered ACLs can be applied to L2
port.
many thanks in advance.

Hi,

Cisco IOS Release 12.2(33)SXH and later releases support PACLs.PACLs filter incoming traffic on Layer 2 interfaces, using Layer 3 information, Layer 4 header information, or non-IP Layer 2 information.

Yes it should work can you share the acl configuration which you have applied on switch.

HTH

Ganesh.H

0 Helpful

mgajew
Level 1
Level 1
In response to Ganesh Hariharan

‎02-04-2010 04:47 AM

Hi Ganesh,

  ACL is pretty simple :

Extended IP access list test
     5 deny ip any any

int fa1/10

interface FastEthernet1/10
switchport
switchport access vlan 10
switchport mode access
no ip address
ip access-group test in

result is that even with this ACL , all traffic is going through - even there are hits on the following :

switch#  sh tcam int fa1/10 acl in ip

* Global Defaults shared


Entries from Bank 0


Entries from Bank 1

    deny         ip any any (730 matches)

traffic is going NOT within the same subnet.

And as you noticed I cannot apply PACL because of lower soft ver which would probably solve the problem, but don't quite follow why Cat allows applying ACL that it doesn't respect ?

Thanks,

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mgajew

‎02-04-2010 04:58 AM 

mgajew wrote:
Hi Ganesh,
  ACL is pretty simple :
Extended IP access list test
     5 deny ip any any
int fa1/10
interface FastEthernet1/10
 switchport
 switchport access vlan 10
 switchport mode access
 no ip address
 ip access-group test in
result is that even with this ACL , all traffic is going through - even there are hits on the following :
switch#  sh tcam int fa1/10 acl in ip
* Global Defaults shared

Entries from Bank 0

Entries from Bank 1
    deny         ip any any (730 matches)
traffic is going NOT within the same subnet.
And as you noticed I cannot apply PACL because of lower soft ver which would probably solve the problem, but don't quite follow why Cat allows applying ACL that it doesn't respect ?
Thanks,

I'm not sure this will work. SXF train allows an acl to be applied to a L3 port only ie. there is no mention of it being applied to a L2 port. I suspect it let you do it simply because the code is there for L3 routed ports.

As you say only when you get to SXH does it allow you to apply an acl to a L2 port.

Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎02-04-2010 04:34 AM 

mgajew wrote:
Hi guys,
  I have Cat6500 with named ACLs matching L4 traffic configured and applied to L2 port. Software is : (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF5.
  I cannot use PACL as it requires a bit higher revision number software I believe.
  The problem I have is that it looks like that ACL can be applied to L2 port but doesn't seem to do anything, I cannot see any hits on ACL entries.
  Anybody can help me out with identifying the cause of it ? I'm pretty sure both named and numbered ACLs can be applied to L2 port.
many thanks in advance.

When you say you don't see any hits, that is normal for a 6500 because packets are processed in hardware so acl hitcounts are not incremented. If the packet was processed in software then you would indeed see acl hits.

So the more important question is does the acl actually restrict the traffic or not ?

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card