[c-nsp] PACL on C6K
lists at hojmark.org
lists at hojmark.org
Thu Sep 8 18:53:29 EDT 2005
>> VALCs control traffic within a *VLAN*, PACLs control traffic
>> in an out of a physical *port*. If you can't know (in advance)
>> the address of the equipment, but do know the physical port,
>> it can be hard to do the VACL, but very easy to do the PACL.
> I usually prefer having servers with fixed IP addresses,
> servers on different subnets than workstations,
So do I. These particular switches are not used for servers,
however.
> and no differentation between workstations
I don't have the luxury that all 'workstations' are the same. In
fact, the client devices aren't even all 'workstations' in any
common definition of that word.
> Time to make your SE talk on your behalf
I've done that. Apparently there's no way we're getting any
(more!) new features in Rockies-3 (SXF, due late this year),
so we'll have to wait for Rockies-4 (SXG, sometime next year,
which could wind up being a year from now, I suppose).
So, for example, we have to wait to sometime in 2006 to run
802.1x with phones... Gee, wasn't it Cisco I heard pushing IP
telephony and advanced security features? No, not on their top
platform, apparently.
> I suppose are you providing different services (network
> allowed/block services) to different stations.
That is correct.
> Someone reading this thread that only needs spoof control
> will probably benefit from turning Port Security, DHCP
> Snooping, Dynamic ARP Inspection and IP Source Guard.
Well, DHCP Snooping and DAI are very new (SXE) on the C6K (and
again, they've been on other, cheaper, Catalyst platforms much
longer). And I'm pretty sure IP Source Guard isn't even there
yet.
> I've hit one such feature lack [...]
Well, take a look at the feature 'list' for 802.1x on C6K...
(You can turn it on, basically). VMPS was recently mentioned
on this list also. You'll find many other things when you
actually start using it in the access layer.
-A
More information about the cisco-nsp
mailing list