- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: 6500 Access-lists posted 01/26/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Also be aware that unless you're running a PFC3B (or 3BXL) with newer code your ACL counters are only hits inside of a small sampling window. They do not indicate hits for ALL ACE's.


Jeremy O'Dette wrote:
One word of caution - Double check your ACLs with the "log" option or a sniffer once you configure them:
We had a pair of 6500s (running hybrid 8.3/12.1(13)) in my office that were setup for inter-vlan routing. I added a few extended ACLs to the SVIs on the MSFCs and I noticed the ACLs weren't filtering traffic the way there were supposed to be (letting denyed traffic into a SVI but blocking the return path even though the ACl wasn't performing any egress filtering). I always assumed applying an extended ACL to a 6500 SVI should behave the same as if you put the same ACL on the physical interface of any other IOS box.

After talking the issue over with TAC some of the older IOS versions don't appear to handle filtering properly. You probably won't have any issues but I'd double check the ACLs are blocking everything they're supposed to be blocking.

Jeremy O'Dette
CCIE #14973