02-04-2010 02:46 AM - edited 03-06-2019 09:34 AM
Hi guys,
I have Cat6500 with named ACLs matching L4 traffic configured and applied to L2 port. Software is : (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF5.
I cannot use PACL as it requires a bit higher revision number software I believe.
The problem I have is that it looks like that ACL can be applied to L2 port but doesn't seem to do anything, I cannot see any hits on ACL entries.
Anybody can help me out with identifying the cause of it ? I'm pretty sure both named and numbered ACLs can be applied to L2 port.
many thanks in advance.
02-04-2010 04:04 AM
Hi guys,
I have Cat6500 with named ACLs matching L4 traffic configured and applied to L2 port. Software is : (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF5.
I cannot use PACL as it requires a bit higher revision number software I believe.
The problem I have is that it looks like that ACL can be applied to L2 port but doesn't seem to do anything, I cannot see any hits on ACL entries.
Anybody can help me out with identifying the cause of it ? I'm pretty sure both named and numbered ACLs can be applied to L2 port.
many thanks in advance.
Hi,
Cisco IOS Release 12.2(33)SXH and later releases support PACLs.PACLs filter incoming traffic on Layer 2 interfaces, using Layer 3 information, Layer 4 header information, or non-IP Layer 2 information.
Yes it should work can you share the acl configuration which you have applied on switch.
HTH
Ganesh.H
02-04-2010 04:47 AM
Hi Ganesh,
ACL is pretty simple :
Extended IP access list test
5 deny ip any any
int fa1/10
interface FastEthernet1/10
switchport
switchport access vlan 10
switchport mode access
no ip address
ip access-group test in
result is that even with this ACL , all traffic is going through - even there are hits on the following :
switch# sh tcam int fa1/10 acl in ip
* Global Defaults shared
Entries from Bank 0
Entries from Bank 1
deny ip any any (730 matches)
traffic is going NOT within the same subnet.
And as you noticed I cannot apply PACL because of lower soft ver which would probably solve the problem, but don't quite follow why Cat allows applying ACL that it doesn't respect ?
Thanks,
02-04-2010 04:58 AM
mgajew wrote:
Hi Ganesh,
ACL is pretty simple :
Extended IP access list test
5 deny ip any anyint fa1/10
interface FastEthernet1/10
switchport
switchport access vlan 10
switchport mode access
no ip address
ip access-group test inresult is that even with this ACL , all traffic is going through - even there are hits on the following :
switch# sh tcam int fa1/10 acl in ip
* Global Defaults shared
Entries from Bank 0
Entries from Bank 1deny ip any any (730 matches)
traffic is going NOT within the same subnet.
And as you noticed I cannot apply PACL because of lower soft ver which would probably solve the problem, but don't quite follow why Cat allows applying ACL that it doesn't respect ?
Thanks,
I'm not sure this will work. SXF train allows an acl to be applied to a L3 port only ie. there is no mention of it being applied to a L2 port. I suspect it let you do it simply because the code is there for L3 routed ports.
As you say only when you get to SXH does it allow you to apply an acl to a L2 port.
Jon
02-04-2010 04:34 AM
mgajew wrote:
Hi guys,
I have Cat6500 with named ACLs matching L4 traffic configured and applied to L2 port. Software is : (s3223_rp-IPBASEK9-M), Version 12.2(18)SXF5.
I cannot use PACL as it requires a bit higher revision number software I believe.
The problem I have is that it looks like that ACL can be applied to L2 port but doesn't seem to do anything, I cannot see any hits on ACL entries.
Anybody can help me out with identifying the cause of it ? I'm pretty sure both named and numbered ACLs can be applied to L2 port.
many thanks in advance.
When you say you don't see any hits, that is normal for a 6500 because packets are processed in hardware so acl hitcounts are not incremented. If the packet was processed in software then you would indeed see acl hits.
So the more important question is does the acl actually restrict the traffic or not ?
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide