On Fri, Oct 19, 2001 at 09:55:39AM +0100, James A. T. Rice <james_r-nanog@jump.org.uk> wrote:
Does anyone else here use ACL's on subinterfaces of single GigE linecards on GSRs? As of 12.0(16S), the ability to type 'ip access-group' while in the subinterface configuration was removed, leaving me stuck on 12.0(15S3).
Cisco seem to be under the impression that BBC are the only customer who used this feature, if anyone else ACL's on GigE subinterfaces, please get in touch so we can correct them.
We've been beating on them for some time over this issue. In my personal experience, you can put the ACL on the physical port - making sure of course it passes everything you want it to for _every_ vlan on that interface allowing you to filter some traffic. Basically the ACL on the physical interface seems to get applied to every subinterface. Cisco has clearly not gotten the message, so for all those Cisco people reading this I will restate it clearly: _ALL_ interfaces must support basic ACL's or we're not going to buy them from you. There is no such thing as an interface that doesn't need ACL's, no matter how much you rationalize it. A number of us are already speaking out on this issue with our $$$ taking it to vendors who understand this. You don't need 50,000 line ACL's, 37 kinds of QOS, or all that other crap on every card, but the ability to do a 10 line filter is a critical feature, and not having it is like not having a routing engine, it makes the box useless. -- Leo Bicknell - bicknell@ufp.org Systems Engineer - Internetworking Engineer - CCIE 3440 Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org