Netflow bug on 3-GE cards (Trident) in Cisco GSRs

David Sinn dsinn at
Mon Jul 23 18:26:18 UTC 2001

I'm sorry, but ACL's are support on E0's and E1's.  Who ever told you
otherwise is incorrect.

I worked on numerous accounts while at Cisco, and have multiple
deployments at my new employers where ACL's are implemented on E1 8-port
FE, E1 1-port GE, E0 1-port ATM OC12, E1 12-port DS3's, plus many
others.  This includes GSR's running 12.0(6)S, 12.0(9)S, 12.0(14)S,
12.0(16)S, and 12.0(17)S1 (plus numerous images in-between that I can't

Are you confusing the limitation that the ACL's must be inbound and not
outbound?  Another words when you went to migrate your 7500's config,
which probably followed prior recommendation outbound ACL's, it failed?
Because of the design of the GSR, all ACL's are actually process on the
inbound interface, regardless of how you define the ACL's (this will
change with the E3 and E4+ based cards), and given certain versions of
IOS you can define outbound ACL's that the router translates into
inbound ACL's for you (again with further limitations).  This is highly
looked down upon by the TAC.

I also do not believe that they are planning a 10 port GE card based on
the E3.  It is also a 2.5 Gig engine, so you would have massive over
subscription would that turn out to be the case.  E4's are the 10Gig
engine, and there are various ones underdevelopment, but you should talk
to your account team about the status of them.


-----Original Message-----
From: Andrew C. Ohnstad [mailto:andrewo at] 
Sent: Monday, July 23, 2001 11:12 AM
To: David Sinn
Cc: Mikael Abrahamsson; nanog at
Subject: Re: Netflow bug on 3-GE cards (Trident) in Cisco GSRs

On Mon, Jul 23, 2001 at 10:42:26AM -0700, David Sinn wrote:
> I beg to differ.
> As a former employee of Cisco, you comments about ACL's on E0 and E1
> cards are totally off base.  I'm not sure where you got this
> "information", but it is most certainly not the case.
> Standard ACL's & Extended ACL's have been supported by the E0's and
> that were released in 12.0(5)S (most) and 12.0(6)S (2 port OC-12 DPT)
> versions of IOS.  This includes the 8 port FE and 1 port GE cards.
> includes support by the development organization that oversees
> on the GSR, and by the TAC.  (Whether the TAC engineer is capable of
> supporting you is another issue.)

I apologize, I made a couple mistakes in my response.  ACLs are not 
supported on E0 and E1 Gig/FE cards.  You used to be able to do them
but they didn't work.  They were removed in recient releases.  They will

be supported by (and re-enabled on) the Engine3 10 port GigE cards under


We found this out the hard way when we upgraded a pair of GSR with GigE 
"DMZ" type interfaces behind it.  We had to scramble to install a 7xxx 
series routers to serve as dedicated DMZ routers and do the ACLs on

More information about the NANOG mailing list