Re: 6500 Access-lists

From: Jonathan Stevens (jonathanstevens.net@googlemail.com)
Date: Sat Jan 28 2006 - 08:49:23 GMT-3

• Next message: Brian Dennis: "RE: "WALL OF PAIN""
• Previous message: Nadeem Zahid \(iszahid\): "BGP AS PATH"
• Maybe in reply to: de Witt, Duane: "6500 Access-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Duane,
   Just noticed your number! Congratulations from #15714. Just out of
curiousity which location did you pass at?

de Witt, Duane wrote:

>I'm running SUP 7203B. A nice thing that I noticed was that the standby msfc is automatically updated with the config from the master.
>
>Everything is setup, I'm just waiting to get the hosts connected to the switch to test.
>
>Regards
>Duane de Witt
>Consulting Systems Engineer
>CCIE # 15715
>
>____________________________________________
>SIEMENS Siemens Business Services
> Siemens Service Center
>
>126 14th Road
>Erand Gardens
>Midrand
>South Africa
>
>I +27 11 5452555
>H +27 83 4452768
>J +27 11 5415219
>* duane.dewitt@siemens.com
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of James Ventre
>Sent: 26 January 2006 07:58 PM
>To: Jeremy O'Dette
>Cc: Sheikh.Rahman@uk.didata.com; de Witt, Duane; ccielab@groupstudy.com
>Subject: Re: 6500 Access-lists
>
>Also be aware that unless you're running a PFC3B (or 3BXL) with newer
>code your ACL counters are only hits inside of a small sampling window.
>They do not indicate hits for ALL ACE's.
>
>James
>
>
>
>
>Jeremy O'Dette wrote:
>
>
>>One word of caution - Double check your ACLs with the "log" option or
>>a sniffer once you configure them:
>>We had a pair of 6500s (running hybrid 8.3/12.1(13)) in my office that
>>were setup for inter-vlan routing. I added a few extended ACLs to the
>>SVIs on the MSFCs and I noticed the ACLs weren't filtering traffic the
>>way there were supposed to be (letting denyed traffic into a SVI but
>>blocking the return path even though the ACl wasn't performing any
>>egress filtering). I always assumed applying an extended ACL to a
>>6500 SVI should behave the same as if you put the same ACL on the
>>physical interface of any other IOS box.
>>
>>After talking the issue over with TAC some of the older IOS versions
>>don't appear to handle filtering properly. You probably won't have
>>any issues but I'd double check the ACLs are blocking everything
>>they're supposed to be blocking.
>>
>>
>>
>>Jeremy O'Dette
>>CCIE #14973
>>jeremyodette@hotmail.com
>>
>>
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Brian Dennis: "RE: "WALL OF PAIN""
• Previous message: Nadeem Zahid \(iszahid\): "BGP AS PATH"
• Maybe in reply to: de Witt, Duane: "6500 Access-lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:50 GMT-3