12000 ACL issue

• Previous message (by thread): Security breach: .AU domain registry
• Next message (by thread): 12000 ACL issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Does anyone else here use ACL's on subinterfaces of single GigE linecards
on GSRs? As of 12.0(16S), the ability to type 'ip access-group' while in
the subinterface configuration was removed, leaving me stuck on
12.0(15S3).

Cisco seem to be under the impression that BBC are the only customer who
used this feature, if anyone else ACL's on GigE subinterfaces, please get
in touch so we can correct them.

Apparently the feature was never supported as it was never documented. To
me, hitting '?' in the config and seeing the option there, counts as
documentation. I guess we should all throughly check the IOS command
reference guides before we use any commands on ciscos, in case theyre
unsupported. I wonder what they'll remove next, I've not yet checked to
see if "ip routing" is a supported command!

The other excuse for removing it was because 'it wasnt line rate'. This
doesnt bother me - I'd never expected the GigE cards to be line rate
anyway. Theyre now suggesting buy 35xxT switches and use them for layer 3
filtering. Below is the email, names removed to protect the guilty.


-- 
James A. T. Rice             | Email: jamesr at rd.bbc.co.uk
Internet Operations Engineer | Phone: +44 1737 839 737
BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK.

---------- Forwarded message ----------
Date: Fri, 19 Oct 2001 09:35:13 +0100
From: Removed <@cisco.com>
To: "James A. T. Rice" <jamesr>
Cc: @cisco.com
Subject: 12000 ACL issue

Hi James,

Having spoken to the guys in the US and worked through all the
considerations of deploying a release of IOS code that supports the config
you have it would seem that the most sensible route would be to consider
the deployment of the Catalyst 3550T.

The problem with simply restoring the functionality on the 12000 is that
not only has it not been tested thoroughly (though expectation is that the
performance will not be good) it will mean that the BBC are the only known
customer using the functionality. Whilst Cisco would make every effort to
support customer demands, the nature of software development and the
current expectation in IOS development is that the 12000 is not suited to
providing this functionality in the long term. This issue has been
escalated highly within Cisco up to SE Director level and the consensus is
that the most appropriate recommendation would be to consider a platform
that can provide wirespeed ACL capability. The 12000 is unlikely to be able
to provide this in the long term.

Additionally the time required to develop and test stable code that can
support all the 12000 features that will be required in the long term
suggests that for the most immediate resolution to the problem an
alternative platform should be considered.

Cisco regret the confusion that led you to understand that this feature was
supported and we will of course do our utmost to provide a satisfactory
resolution.

I have sent you through some collateral on the 3550T and i believe that
this will provide you with the most scalable and best supported method of
providing ACL's at high performance.

The 3512T could well provide a more flexible solution in that it supports
Vlan Maps.

 From the docs

"VLAN maps can access-control all traffic. You can apply VLAN maps on the
switch to all packets that are routed into or out of a VLAN or are bridged
within a VLAN. VLAN maps are used strictly for security packet filtering.
Unlike router ACLs, VLAN maps are not defined by direction (input or output)."

This would make configuration of ACL's and providing access control at
layer 2 and 3 easier. This could provide benefits not only in providing
layer 2 security but also in simplifying Vlan design and saving on IP
addressing (one vlan for all customers, security via VLAN Maps, port
security and private vlans.

Our thoughts are to deploy a 3550T as part of the 3500 stack that you
already have. This would not only provide simplified management and the
addition of only a single RU box, but would also provide an additional 10
Copper Gigabit ports for the addition of other servers.

If you could let me know your thoughts on this, we can look at what is the
best way to go forward.

Thanks and Regards

• Previous message (by thread): Security breach: .AU domain registry
• Next message (by thread): 12000 ACL issue
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]