From: James Ventre (messageboard@ventrefamily.com)
Date: Thu Jan 26 2006 - 14:57:54 GMT-3
Also be aware that unless you're running a PFC3B (or 3BXL) with newer
code your ACL counters are only hits inside of a small sampling window.
They do not indicate hits for ALL ACE's.
James
Jeremy O'Dette wrote:
> One word of caution - Double check your ACLs with the "log" option or
> a sniffer once you configure them:
> We had a pair of 6500s (running hybrid 8.3/12.1(13)) in my office that
> were setup for inter-vlan routing. I added a few extended ACLs to the
> SVIs on the MSFCs and I noticed the ACLs weren't filtering traffic the
> way there were supposed to be (letting denyed traffic into a SVI but
> blocking the return path even though the ACl wasn't performing any
> egress filtering). I always assumed applying an extended ACL to a
> 6500 SVI should behave the same as if you put the same ACL on the
> physical interface of any other IOS box.
>
> After talking the issue over with TAC some of the older IOS versions
> don't appear to handle filtering properly. You probably won't have
> any issues but I'd double check the ACLs are blocking everything
> they're supposed to be blocking.
>
>
>
> Jeremy O'Dette
> CCIE #14973
> jeremyodette@hotmail.com
This archive was generated by hypermail 2.1.4 : Wed Feb 01 2006 - 07:45:50 GMT-3