Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1707
Views
10
Helpful
6
Replies

Access control lists on Cisco 6800

Go to solution
rahul.sollapure
Level 1
Level 1

‎10-01-2019 02:11 AM

Hi There, 

 

We are aiming to create a ACL on our Cisco 68xx switch, as per below.

 

ingress
ip access-list extended test_ingress
10 permit ip host 1.1.1.1 2.2.2.0 0.0.0.31 log
20 deny ip any any log

 

egress
ip access-list extended test_egress
10 permit ip 2.2.2.0 0.0.0.31 1.1.1.1 log
20 deny ip any any log

 

And we are planning to apply it on selected interfaces, which are completely isolated from our production traffic

 

As these are our distribution switches, we are bit worried about making this change, is there any chance these ACLs would impact globally and cut down all the legitimate traffic?

 

As far as we understand it shouldn't do, but still wanted to double check.

 

Regards,

Rahul

 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-01-2019 04:33 AM

 

The only traffic that will be affected will be traffic going through the interfaces you have applied the acls to.

 

You are also logging the traffic so be aware that this means the logging is handled by default on the RP, in other words in software and if there is a lot of traffic this could increase your CPU usage. 

 

If this is a concern then you can use OAL - 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/config_guide/sup2T/15_4_sy_swcg_2T/ios_acl_support.html#71949

 

Jon

View solution in original post

6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-01-2019 04:33 AM

 

The only traffic that will be affected will be traffic going through the interfaces you have applied the acls to.

 

You are also logging the traffic so be aware that this means the logging is handled by default on the RP, in other words in software and if there is a lot of traffic this could increase your CPU usage. 

 

If this is a concern then you can use OAL - 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/config_guide/sup2T/15_4_sy_swcg_2T/ios_acl_support.html#71949

 

Jon

Go to solution
rahul.sollapure
Level 1
Level 1
In response to Jon Marshall

‎10-01-2019 04:58 AM

Thanks for the response Jon.

Another quick query, on 68xx how can we apply the created ACLs on particular interfaces?

ip access-group test in

The above command doesn't work on these switches.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to rahul.sollapure

‎10-01-2019 06:20 AM

 

Are you applying these to L2 or L3 interfaces ? 

 

Jon

0 Helpful

Go to solution
rahul.sollapure
Level 1
Level 1
In response to Jon Marshall

‎10-01-2019 06:31 AM

L2 interfaces
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to rahul.sollapure

‎10-01-2019 12:13 PM - edited ‎10-01-2019 12:14 PM

 

Okay I was assuming you were applying it to L3 interfaces. 

 

Just checked the documentation and if you are applying to L2 interfaces you cannot use the log keyword in your acls although it says the acl should still be applied. 

 

Are you getting an error message or is the command just not available ?

 

Jon

Go to solution
LukesWANadventure
Level 1
Level 1

‎10-01-2019 05:00 AM

Looks ok to me, as long as you get the IP addresses correct and understand the route of the IP's through your network.

As previous comment mentioned, careful thought needs to considered on what interface to place these.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card