[nsp] ACLs on 2948G-L3
sthaug at nethelp.no
sthaug at nethelp.no
Fri May 30 20:18:19 EDT 2003
> I always knew that the Catalyst 2948G-L3 is a piece of junk, but today we
> had a new and exciting effect: ACLs only work "sometimes".
>
> I have an ACL, incoming on the Gig50 interface, that has a
>
> deny ip any host <somehost>
>
> as the very first statement. NO permit before that.
>
> The host is on a routed vlan interface (bvi40).
>
> The deny works for "traceroute", but "ping" or "telnet" *do* get through
> just fine to the machine, as soon as it's in the CEF adjacency cache.
> Switching off CEF doesn't work ("not supported on this hardware"), of
> course.
We have had some very bad experiences with 2948G-L3 and BVIs, to the
extent that we now only use our one remaining 2948G-L3 as a pure L3
device. With that caveat, ACLs on the GigE interfaces work for us. I
would recommend you remove the BVIs if at all possible and see if
that makes the ACL work.
Steinar Haug, Nethelp consulting, sthaug at nethelp.no
More information about the cisco-nsp
mailing list