08-12-2010 03:20 PM - edited 03-06-2019 12:27 PM
I am trying to apply an ACL on a 10g ethernet port on a VS-S720-10G card but it's not showing on the options. Is the port ACL a supported option on the 10g ethernet port on a sup 720 card?.
08-12-2010 03:31 PM
Well according to Table 3 in this link yes they are supported -
so not sure why there are not an option. How have you configured the port ie. L2 switchport or L3 routed port ?
if a L2 switchport is it configured as a trunk ?
Jon
08-12-2010 04:33 PM
The port is configured as a trunk and a L2 port. This is the configuration of the port
switchport trunk encapsulation dot1q
switchport trunk allowed vlan xxxx,xxxx,xxxx
switchport mode trunk
switchport nonegotiate
no snmp trap link-status
and these are the options I see when under the interface config (looking for ip access-group)
router2(config-if)#ip ?
Interface IP configuration subcommands:
admission Apply Network Admission Control
arp Configure ARP features
auth-proxy Apply authenticaton proxy
dhcp Configure DHCP parameters for this interface
dhcp DHCP
header-compression IPHC options
igmp IGMP interface commands
rsvp RSVP interface commands
rtp RTP parameters
verify verify
vrf VPN Routing/Forwarding parameters on the interface
Thanks.....
08-12-2010 04:47 PM
Can you add this to the port configuration -
int xxx
access-group mode prefer port
and then see if the "ip access-group ..." is available.
Jon
08-12-2010 06:16 PM
Jon,
There is still no option to configure ip access-group when configuring the trunk port with the access mode preferred port configuration.
Chris
08-12-2010 06:30 PM
ip access-group is for layer 3 interfaces. Either change the layer 2 interface to layer 3 with "no switchport" or put the ACL on the SVI
08-12-2010 06:59 PM
Kathleen,
Thanks for the reply but as per documentation on the 6509 and on the 12.2SX IOS, Port ACL on Layer 2 is supported.
Jon,
Additional information is that it is not just on the 10G ethernet port that we are not seeing the "ip access-group option". It is not also showing up on the 1 g interface ports that is configured as a trunk.
The "ip access-group" option does show up though on a 4900M Line card but configured as private-vlan trunk.
Chris
08-12-2010 07:31 PM
Sorry about that last post, you're right. What version are you running? From this doc it looks like you need SXI
With some exceptions, the VSS has feature parity with the standalone Catalyst 6500 series switch. Major exceptions include:
•In software releases earlier than Cisco IOS Release 12.2(33)SXI2, the VSS does not support IPv6 unicast or MPLS.
•In software releases earlier than Cisco IOS Release 12.2(33)SXI, port-based QoS and port ACLs (PACLs) are supported only on Layer 2 single-chassis or multichassis EtherChannel (MEC) links. Beginning with Cisco IOS Release 12.2(33)SXI, port-based QoS and PACLs can be applied to any physical port in the VSS, excluding ports in the VSL. PACLs can be applied to no more than 2046 ports in the VSS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: