GroupStudy.com - CCIE, CCNA, CCNP and other Cisco Certifications

Home

BookStore

StudyNotes

Links

[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Subject: Re: 6500 Access-lists
From: James Ventre <messageboard@xxxxxxxxxxxxxxxx>
Date: Thu, 26 Jan 2006 12:57:54 -0500
Cc: Sheikh.Rahman@xxxxxxxxxxxxx, duane.dewitt@xxxxxxxxxxx, ccielab@xxxxxxxxxxxxxx
In-reply-to: <BAY103-F16D502233845028ED8E70AC8150@phx.gbl>
References: <BAY103-F16D502233845028ED8E70AC8150@phx.gbl>
User-agent: Thunderbird 1.5 (Windows/20051201)

Also be aware that unless you're running a PFC3B (or 3BXL) with newer code your ACL counters are only hits inside of a small sampling window. They do not indicate hits for ALL ACE's.

James

Jeremy O'Dette wrote:

One word of caution - Double check your ACLs with the "log" option or a sniffer once you configure them: We had a pair of 6500s (running hybrid 8.3/12.1(13)) in my office that were setup for inter-vlan routing. I added a few extended ACLs to the SVIs on the MSFCs and I noticed the ACLs weren't filtering traffic the way there were supposed to be (letting denyed traffic into a SVI but blocking the return path even though the ACl wasn't performing any egress filtering). I always assumed applying an extended ACL to a 6500 SVI should behave the same as if you put the same ACL on the physical interface of any other IOS box.

After talking the issue over with TAC some of the older IOS versions don't appear to handle filtering properly. You probably won't have any issues but I'd double check the ACLs are blocking everything they're supposed to be blocking.
Jeremy O'Dette
CCIE #14973
jeremyodette@xxxxxxxxxxx

References:
- RE: 6500 Access-lists
  - From: Jeremy O'Dette

Prev by Date: RE: 6500 Access-lists
Next by Date: RE: 6500 Access-lists
Previous by thread: RE: 6500 Access-lists
Next by thread: RE: 6500 Access-lists
Index(es):
- Date
- Thread