Does anyone else here use ACL's on subinterfaces of single GigE linecards on GSRs? As of 12.0(16S), the ability to type 'ip access-group' while in the subinterface configuration was removed, leaving me stuck on 12.0(15S3). Cisco seem to be under the impression that BBC are the only customer who used this feature, if anyone else ACL's on GigE subinterfaces, please get in touch so we can correct them. Apparently the feature was never supported as it was never documented. To me, hitting '?' in the config and seeing the option there, counts as documentation. I guess we should all throughly check the IOS command reference guides before we use any commands on ciscos, in case theyre unsupported. I wonder what they'll remove next, I've not yet checked to see if "ip routing" is a supported command! The other excuse for removing it was because 'it wasnt line rate'. This doesnt bother me - I'd never expected the GigE cards to be line rate anyway. Theyre now suggesting buy 35xxT switches and use them for layer 3 filtering. Below is the email, names removed to protect the guilty. -- James A. T. Rice | Email: jamesr@rd.bbc.co.uk Internet Operations Engineer | Phone: +44 1737 839 737 BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK. ---------- Forwarded message ---------- Date: Fri, 19 Oct 2001 09:35:13 +0100 From: Removed <@cisco.com> To: "James A. T. Rice" <jamesr> Cc: @cisco.com Subject: 12000 ACL issue Hi James, Having spoken to the guys in the US and worked through all the considerations of deploying a release of IOS code that supports the config you have it would seem that the most sensible route would be to consider the deployment of the Catalyst 3550T. The problem with simply restoring the functionality on the 12000 is that not only has it not been tested thoroughly (though expectation is that the performance will not be good) it will mean that the BBC are the only known customer using the functionality. Whilst Cisco would make every effort to support customer demands, the nature of software development and the current expectation in IOS development is that the 12000 is not suited to providing this functionality in the long term. This issue has been escalated highly within Cisco up to SE Director level and the consensus is that the most appropriate recommendation would be to consider a platform that can provide wirespeed ACL capability. The 12000 is unlikely to be able to provide this in the long term. Additionally the time required to develop and test stable code that can support all the 12000 features that will be required in the long term suggests that for the most immediate resolution to the problem an alternative platform should be considered. Cisco regret the confusion that led you to understand that this feature was supported and we will of course do our utmost to provide a satisfactory resolution. I have sent you through some collateral on the 3550T and i believe that this will provide you with the most scalable and best supported method of providing ACL's at high performance. The 3512T could well provide a more flexible solution in that it supports Vlan Maps. From the docs "VLAN maps can access-control all traffic. You can apply VLAN maps on the switch to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VLAN maps are used strictly for security packet filtering. Unlike router ACLs, VLAN maps are not defined by direction (input or output)." This would make configuration of ACL's and providing access control at layer 2 and 3 easier. This could provide benefits not only in providing layer 2 security but also in simplifying Vlan design and saving on IP addressing (one vlan for all customers, security via VLAN Maps, port security and private vlans. Our thoughts are to deploy a 3550T as part of the 3500 stack that you already have. This would not only provide simplified management and the addition of only a single RU box, but would also provide an additional 10 Copper Gigabit ports for the addition of other servers. If you could let me know your thoughts on this, we can look at what is the best way to go forward. Thanks and Regards