RE: [nsp] Regarding 6509 L3 Switch..

From: Jay Ford (jay-ford@uiowa.edu)
Date: Thu Sep 21 2000 - 12:21:31 EDT


RSMANI [mailto:rsm@ren.nic.in] wrote:
> I am planning to go in for a cisco 6509 L3 Switch..
> Has any used access-list /extented IP access-list on the 10/100MBPS
> ports..? This is not available in the lower model 2948GL3..
> I you can send some sample conf on 10/100 MBPS ...?
> How good and powerful are the access-list..?

On Thu, 21 Sep 2000, Rubens Kuhl Jr. wrote:
> By 6509 L3 switch do you mean a 6500 with PFC (L3 gear but no router) or
> 6500 with PFC and MSFC (IOS router) ?
> 6500/PFC can do VACL (VLAN ACLs) for intra-vlan traffic (can reference IPs
> on other subnets that will be reached by a router, though) and 6500/PFC/MSFC
> can do VACL and IOS ACLs.
>
> ACLs, both types, are enforced by the supervisor engine, so it doesn't
> matter wheter port type the packet comes from: 10, 100 or 1000 Mbps port.

That's true. I'm doing extended ACLs on 10Base-T/100Base-TX & 100Base-FX
ports in a 6506+PFC+MSFC with apparently good results. The ASIC
implementation on the PFC as managed by the MSFC seems to do the right thing.

Note that you cannot do ACL logging without disabling the ASIC handling.
That is, setting logging on an ACL entry causes (at least) the traffic
matching that ACL entry to be handled by the MSFC rather than the PFC. Also,
the tallies in the ACLs don't seem accurate (too low), but I haven't verified
that. The lack of logging is a bummer because you don't get any feedback
about what is being discarded, but it does seem to discard the intended
stuff. You can fly faster with blinders on. ;^)

________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford@uiowa.edu, phone: 319-335-5555, fax: 319-335-5505



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:17 EDT