Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cat4006+RSM+ACLs

Hi, I have read in documentation and in conversations, that if I aply an ACL in a sub-interface PORT-CHANNEL it won't work, but I have tested and worked.

Instead the IOS report that don't support the command, its works.

Can anybody explain ?

Router(config)#int port

Router(config)#int port-channel 1.3

Router(config-subif)#ip acc

Router(config-subif)#ip acce

Router(config-subif)#ip access-group 101 in

Router(config-subif)#

7w1d: ACL is not supported on interface Port-channel1.3

Router(config-subif)#^Z

Router#

7w1d: %SYS-5-CONFIG_I: Configured from console by vty0 (10.0.75.81)

Router#

Router#

Router#

7w1d: %SEC-6-IPACCESSLOGDP: list 101 denied icmp 10.0.75.45 -> 10.0.75.6 (0/0),

Router#sh ver

Cisco Internetwork Operating System Software

IOS (tm) L3 Switch/Router Software (CAT4232-IN-M), Version 12.0(10)W5(18f) RELEASE SOFTWARE

Copyright (c) 1986-2000 by cisco Systems, Inc.

Compiled Mon 04-Dec-00 22:07 by integ

Image text-base: 0x60010928, data-base: 0x605F6000

ROM: System Bootstrap, Version 12.0(7)W5(15b) RELEASE SOFTWARE

Router uptime is 7 weeks, 1 day, 10 hours, 37 minutes

System restarted by power-on

Running default software

cisco Cat4232L3 (R5000) processor with 57344K/8192K bytes of memory.

R5000 processor, Implementation 35, Revision 2.1

Last reset from power-on

1 FastEthernet/IEEE 802.3 interface(s)

4 Gigabit Ethernet/IEEE 802.3z interface(s)

123K bytes of non-volatile configuration memory.

16384K bytes of Flash internal SIMM (Sector size 256K).

Configuration register is 0x2

3 REPLIES
Cisco Employee

Re: Cat4006+RSM+ACLs

Access-lists are not supported on port-channel interfaces in a WS-X4232-L3 module in any IOS

http://www.cisco.com/warp/public/473/28.html#access-list_ws

If you need to use ACLs, redesign routing using sub-interfaces on gig 3 and gig 4

Community Member

Re: Cat4006+RSM+ACLs

I don't have rights for this page.

Can you send me ?

Thks for your attention,

Paulo Mauricio

Cisco Employee

Re: Cat4006+RSM+ACLs

It is a public page. Anyways here it is

Access List Support on the WS-X4232-L3

Both control-plane and data-plane Access Control Lists (ACLs) are supported on the WS-X4232-L3 module.

Control-plane ACLs: ACLs used to access control data that is processed by the CPU of the WS-X4232-L3 module (for example, distribution of routing information, IGMP joins, IPX SAPs and GNS packets, and so on)

Data-plane ACLs: ACLs used to access control user data being routed through the WS-X4232-L3 in hardware (for example, denying TCP sessions between two hosts, controlling access to devices in an IPX network, and so on). These ACLs are applied to an interface in the input or output direction using the ip access-group or ipx access-group command.

The following restrictions apply when using data-plane ACLs on the WS-X4232-L3:

ACLs are not supported on Gigabit EtherChannel (GEC) interfaces (that is, you cannot configure a data-plane ACL on a port-channel interface)

ACLs are not supported on subinterfaces of Gigabit EtherChannel (GEC) interfaces (that is, you cannot configure a data-plane ACL on a port-channel subinterface).

Reflexive and dynamic ACLs are not supported

ACL logging, ACL hit counters, and access-violations accounting are not supported

The implication of these restrictions is that you cannot configure the two internal Gigabit Ethernet interfaces as an EtherChannel bundle if you also wish to use data-plane ACLs to control traffic flow between VLANs.

The alternative is to configure each internal gigabit interface as a separate 802.1q trunk, each carrying different VLANs. This alternative is possible because configuring data-plane ACLs on subinterfaces of a main interface is allowed. (See the examples below.)

WS-X4232-L3 Access List Examples

Allowed

interface gig 3

ip address 192.168.100.1 255.255.255.0

ip access-group 101 in

Allowed

interface gig 3.10

encapsulation dot1q 10

ip address 192.168.100.1 255.255.255.0

ip access-group 99 out

Not Allowed

interface gig 3

channel-group 1

interface gig 4

channel-group 1

interface port-channel 1

ip address 192.168.100.1 255.255.255.0

ip access-group 101 in

Not Allowed

interface gig 3

channel-group 1

interface gig 4

channel-group 1

interface port-channel 1.10

encapsulation dot1q 10

ip address 192.168.100.1 255.255.255.0

ip access-group 99 out

84
Views
0
Helpful
3
Replies
CreatePlease to create content