North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: 12000 ACL issue

  • From: Leo Bicknell
  • Date: Fri Oct 19 10:27:23 2001

On Fri, Oct 19, 2001 at 09:55:39AM +0100, James A. T. Rice <[email protected]> wrote:
> Does anyone else here use ACL's on subinterfaces of single GigE linecards
> on GSRs? As of 12.0(16S), the ability to type 'ip access-group' while in
> the subinterface configuration was removed, leaving me stuck on
> 12.0(15S3).
> 
> Cisco seem to be under the impression that BBC are the only customer who
> used this feature, if anyone else ACL's on GigE subinterfaces, please get
> in touch so we can correct them.

We've been beating on them for some time over this issue.  In my
personal experience, you can put the ACL on the physical port -
making sure of course it passes everything you want it to for
_every_ vlan on that interface allowing you to filter some traffic.
Basically the ACL on the physical interface seems to get applied
to every subinterface.

Cisco has clearly not gotten the message, so for all those Cisco
people reading this I will restate it clearly:

_ALL_ interfaces must support basic ACL's or we're not going to
buy them from you.  There is no such thing as an interface that
doesn't need ACL's, no matter how much you rationalize it.  A number
of us are already speaking out on this issue with our $$$ taking
it to vendors who understand this.

You don't need 50,000 line ACL's, 37 kinds of QOS, or all that
other crap on every card, but the ability to do a 10 line filter
is a critical feature, and not having it is like not having a
routing engine, it makes the box useless.

-- 
Leo Bicknell - [email protected]
Systems Engineer - Internetworking Engineer - CCIE 3440
Read TMBG List - [email protected], www.tmbg.org