[c-nsp] reflexive ACL on 6500

Buhrmaster, Gary gtb at slac.stanford.edu
Thu Oct 30 04:33:00 EDT 2008


> We've been using reflexive ACLs on the 6500s for many years, 
> in my own experience I'd recommend against it, unless it's 
> absolutely your only choice. We use reflexive ACLs on the 
> SVIs and it just doesn't scale very well.  You're better off 
> purchasing a couple FWSMs or some real firewalls to get the job done. 

Cisco announced the end of support for the IOS Firewall
feature set for the 6500 over a year ago.  12.2SXF is the
last release that supports it according to the announcement.
The FWSM is the recommended alternative:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_end-of-life_notice0900aecd8067a132.html

(and as far as I ever figured out this and one other
document was the only place the additional license
feature code was documented as being necessary to
legally run the IOS firewall on the 6500 in the first
place.)


More information about the cisco-nsp mailing list