RE: 6500 Access-lists

From: de Witt, Duane (duane.dewitt@siemens.com)
Date: Fri Jan 27 2006 - 02:40:55 GMT-3

• Next message: easyman: "RE: IPV6 Address / Prefix."
• Previous message: Faryar Zabihi \(fzabihi\): "IPV6 Address / Prefix."
• Maybe in reply to: de Witt, Duane: "6500 Access-lists"
• Next in thread: Jonathan Stevens: "Re: 6500 Access-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm running SUP 7203B. A nice thing that I noticed was that the standby msfc is automatically updated with the config from the master.

Everything is setup, I'm just waiting to get the hosts connected to the switch to test.

Regards
Duane de Witt
Consulting Systems Engineer
CCIE # 15715
 
____________________________________________
SIEMENS Siemens Business Services
        Siemens Service Center

126 14th Road
Erand Gardens
Midrand
South Africa
 
I +27 11 5452555
H +27 83 4452768
J +27 11 5415219
* duane.dewitt@siemens.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of James Ventre
Sent: 26 January 2006 07:58 PM
To: Jeremy O'Dette
Cc: Sheikh.Rahman@uk.didata.com; de Witt, Duane; ccielab@groupstudy.com
Subject: Re: 6500 Access-lists

Also be aware that unless you're running a PFC3B (or 3BXL) with newer
code your ACL counters are only hits inside of a small sampling window.
They do not indicate hits for ALL ACE's.

James

Jeremy O'Dette wrote:
> One word of caution - Double check your ACLs with the "log" option or
> a sniffer once you configure them:
> We had a pair of 6500s (running hybrid 8.3/12.1(13)) in my office that
> were setup for inter-vlan routing. I added a few extended ACLs to the
> SVIs on the MSFCs and I noticed the ACLs weren't filtering traffic the
> way there were supposed to be (letting denyed traffic into a SVI but
> blocking the return path even though the ACl wasn't performing any
> egress filtering). I always assumed applying an extended ACL to a
> 6500 SVI should behave the same as if you put the same ACL on the
> physical interface of any other IOS box.
>
> After talking the issue over with TAC some of the older IOS versions
> don't appear to handle filtering properly. You probably won't have
> any issues but I'd double check the ACLs are blocking everything
> they're supposed to be blocking.
>
>
>
> Jeremy O'Dette
> CCIE #14973
> jeremyodette@hotmail.com

• Next message: easyman: "RE: IPV6 Address / Prefix."
• Previous message: Faryar Zabihi \(fzabihi\): "IPV6 Address / Prefix."
• Maybe in reply to: de Witt, Duane: "6500 Access-lists"
• Next in thread: Jonathan Stevens: "Re: 6500 Access-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:50 GMT-3