cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
870
Views
0
Helpful
7
Replies

ACL on a 10G Ethernet port on a VS-S720-10G Card

tu2pel
Level 1
Level 1

I am trying to apply an ACL on a 10g ethernet port on a VS-S720-10G card but it's not showing on the options. Is the port ACL a supported option on the 10g ethernet port on a sup 720 card?.

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

Well according to Table 3 in this link yes they are supported -

http://www.cisco.com/en/US/customer/prod/collateral/switches/ps5718/ps708/product_data_sheet09186a0080159856_ps2797_Products_Data_Sheet.html

so not sure why there are not an option. How have you configured the port ie. L2 switchport or L3 routed port ?

if a L2 switchport is it configured as a trunk ?

Jon

The port is configured as a trunk and a L2 port. This is the configuration of the port

switchport trunk encapsulation dot1q

switchport trunk allowed vlan xxxx,xxxx,xxxx

switchport mode trunk

switchport nonegotiate

no snmp trap link-status

and these are the options I see when under the interface config (looking for ip access-group)

router2(config-if)#ip ?     

Interface IP configuration subcommands:

  admission           Apply Network Admission Control

  arp                 Configure ARP features

  auth-proxy          Apply authenticaton proxy

  dhcp                Configure DHCP parameters for this interface

  dhcp                DHCP

  header-compression  IPHC options

  igmp                IGMP interface commands

  rsvp                RSVP interface commands

  rtp                 RTP parameters

  verify              verify

  vrf                 VPN Routing/Forwarding parameters on the interface

Thanks.....

Can you add this to the port configuration -

int xxx

access-group mode prefer port

and then see if the "ip access-group ..." is available.

Jon

Jon,

There is still no option to configure ip access-group when configuring the trunk port with the access mode preferred port configuration.

Chris

ip access-group is for layer 3 interfaces.  Either change the layer 2 interface to layer 3 with "no switchport" or put the ACL on the SVI

Kathleen,

Thanks for the reply but as per documentation on the 6509 and on the 12.2SX IOS, Port ACL on Layer 2 is supported.

Jon,

Additional information is that it is not just on the 10G ethernet port that we are not seeing the "ip access-group option". It is not also showing up on the 1 g interface ports that is configured as a trunk.

The "ip access-group" option does show up though on a 4900M Line card but configured as private-vlan trunk.

Chris

Sorry about that last post, you're right.  What version are you running?  From this doc it looks like you need SXI

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html#wp1053880

With some exceptions, the VSS has feature parity with the standalone Catalyst 6500 series switch. Major exceptions include:

In software releases earlier than Cisco IOS Release 12.2(33)SXI2, the VSS does not support IPv6 unicast or MPLS.

In software releases earlier than Cisco IOS Release 12.2(33)SXI, port-based QoS and port ACLs (PACLs) are supported only on Layer 2 single-chassis or multichassis EtherChannel (MEC) links. Beginning with Cisco IOS Release 12.2(33)SXI, port-based QoS and PACLs can be applied to any physical port in the VSS, excluding ports in the VSL. PACLs can be applied to no more than 2046 ports in the VSS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco