cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

308
Views
10
Helpful
6
Replies
Highlighted

Access control lists on Cisco 6800

Hi There, 

 

We are aiming to create a ACL on our Cisco 68xx switch, as per below.

 

ingress
ip access-list extended test_ingress
10 permit ip host 1.1.1.1 2.2.2.0 0.0.0.31 log
20 deny ip any any log

 

egress
ip access-list extended test_egress
10 permit ip 2.2.2.0 0.0.0.31 1.1.1.1 log
20 deny ip any any log

 

And we are planning to apply it on selected interfaces, which are completely isolated from our production traffic

 

As these are our distribution switches, we are bit worried about making this change, is there any chance these ACLs would impact globally and cut down all the legitimate traffic?

 

As far as we understand it shouldn't do, but still wanted to double check.

 

Regards,

Rahul

 
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Guru

Re: Access control lists on Cisco 6800

 

The only traffic that will be affected will be traffic going through the interfaces you have applied the acls to.

 

You are also logging the traffic so be aware that this means the logging is handled by default on the RP, in other words in software and if there is a lot of traffic this could increase your CPU usage. 

 

If this is a concern then you can use OAL - 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/config_guide/sup2T/15_4_sy_swcg_2T/ios_acl_support.html#71949

 

Jon

View solution in original post

6 REPLIES 6
Hall of Fame Guru

Re: Access control lists on Cisco 6800

 

The only traffic that will be affected will be traffic going through the interfaces you have applied the acls to.

 

You are also logging the traffic so be aware that this means the logging is handled by default on the RP, in other words in software and if there is a lot of traffic this could increase your CPU usage. 

 

If this is a concern then you can use OAL - 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/config_guide/sup2T/15_4_sy_swcg_2T/ios_acl_support.html#71949

 

Jon

View solution in original post

Re: Access control lists on Cisco 6800

Thanks for the response Jon.

Another quick query, on 68xx how can we apply the created ACLs on particular interfaces?

ip access-group test in

The above command doesn't work on these switches.

Hall of Fame Guru

Re: Access control lists on Cisco 6800

 

Are you applying these to L2 or L3 interfaces ? 

 

Jon

Re: Access control lists on Cisco 6800

L2 interfaces
Hall of Fame Guru

Re: Access control lists on Cisco 6800

 

Okay I was assuming you were applying it to L3 interfaces. 

 

Just checked the documentation and if you are applying to L2 interfaces you cannot use the log keyword in your acls although it says the acl should still be applied. 

 

Are you getting an error message or is the command just not available ?

 

Jon

Beginner

Re: Access control lists on Cisco 6800

Looks ok to me, as long as you get the IP addresses correct and understand the route of the IP's through your network.

As previous comment mentioned, careful thought needs to considered on what interface to place these.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards