cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1353
Views
10
Helpful
6
Replies

Access control lists on Cisco 6800

rahul.sollapure
Level 1
Level 1

Hi There, 

 

We are aiming to create a ACL on our Cisco 68xx switch, as per below.

 

ingress
ip access-list extended test_ingress
10 permit ip host 1.1.1.1 2.2.2.0 0.0.0.31 log
20 deny ip any any log

 

egress
ip access-list extended test_egress
10 permit ip 2.2.2.0 0.0.0.31 1.1.1.1 log
20 deny ip any any log

 

And we are planning to apply it on selected interfaces, which are completely isolated from our production traffic

 

As these are our distribution switches, we are bit worried about making this change, is there any chance these ACLs would impact globally and cut down all the legitimate traffic?

 

As far as we understand it shouldn't do, but still wanted to double check.

 

Regards,

Rahul

 
1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

 

The only traffic that will be affected will be traffic going through the interfaces you have applied the acls to.

 

You are also logging the traffic so be aware that this means the logging is handled by default on the RP, in other words in software and if there is a lot of traffic this could increase your CPU usage. 

 

If this is a concern then you can use OAL - 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/config_guide/sup2T/15_4_sy_swcg_2T/ios_acl_support.html#71949

 

Jon

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

 

The only traffic that will be affected will be traffic going through the interfaces you have applied the acls to.

 

You are also logging the traffic so be aware that this means the logging is handled by default on the RP, in other words in software and if there is a lot of traffic this could increase your CPU usage. 

 

If this is a concern then you can use OAL - 

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/config_guide/sup2T/15_4_sy_swcg_2T/ios_acl_support.html#71949

 

Jon

Thanks for the response Jon.

Another quick query, on 68xx how can we apply the created ACLs on particular interfaces?

ip access-group test in

The above command doesn't work on these switches.

 

Are you applying these to L2 or L3 interfaces ? 

 

Jon

L2 interfaces

 

Okay I was assuming you were applying it to L3 interfaces. 

 

Just checked the documentation and if you are applying to L2 interfaces you cannot use the log keyword in your acls although it says the acl should still be applied. 

 

Are you getting an error message or is the command just not available ?

 

Jon

Looks ok to me, as long as you get the IP addresses correct and understand the route of the IP's through your network.

As previous comment mentioned, careful thought needs to considered on what interface to place these.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card