Does anyone else here use ACL's on subinterfaces of single GigE linecards on GSRs? As of 12.0(16S), the ability to type 'ip access-group' while in the subinterface configuration was removed, leaving me stuck on 12.0(15S3). Cisco seem to be under the impression that BBC are the only customer who used this feature, if anyone else ACL's on GigE subinterfaces, please get in touch so we can correct them. Apparently the feature was never supported as it was never documented. To me, hitting '?' in the config and seeing the option there, counts as documentation. I guess we should all throughly check the IOS command reference guides before we use any commands on ciscos, in case theyre unsupported. I wonder what they'll remove next, I've not yet checked to see if "ip routing" is a supported command! The other excuse for removing it was because 'it wasnt line rate'. This doesnt bother me - I'd never expected the GigE cards to be line rate anyway. Theyre now suggesting buy 35xxT switches and use them for layer 3 filtering. Below is the email, names removed to protect the guilty. -- James A. T. Rice | Email: jamesr@rd.bbc.co.uk Internet Operations Engineer | Phone: +44 1737 839 737 BBC Internet Services, Kingswood Warren, Tadworth, Surrey, UK. ---------- Forwarded message ---------- Date: Fri, 19 Oct 2001 09:35:13 +0100 From: Removed <@cisco.com> To: "James A. T. Rice" <jamesr> Cc: @cisco.com Subject: 12000 ACL issue Hi James, Having spoken to the guys in the US and worked through all the considerations of deploying a release of IOS code that supports the config you have it would seem that the most sensible route would be to consider the deployment of the Catalyst 3550T. The problem with simply restoring the functionality on the 12000 is that not only has it not been tested thoroughly (though expectation is that the performance will not be good) it will mean that the BBC are the only known customer using the functionality. Whilst Cisco would make every effort to support customer demands, the nature of software development and the current expectation in IOS development is that the 12000 is not suited to providing this functionality in the long term. This issue has been escalated highly within Cisco up to SE Director level and the consensus is that the most appropriate recommendation would be to consider a platform that can provide wirespeed ACL capability. The 12000 is unlikely to be able to provide this in the long term. Additionally the time required to develop and test stable code that can support all the 12000 features that will be required in the long term suggests that for the most immediate resolution to the problem an alternative platform should be considered. Cisco regret the confusion that led you to understand that this feature was supported and we will of course do our utmost to provide a satisfactory resolution. I have sent you through some collateral on the 3550T and i believe that this will provide you with the most scalable and best supported method of providing ACL's at high performance. The 3512T could well provide a more flexible solution in that it supports Vlan Maps. From the docs "VLAN maps can access-control all traffic. You can apply VLAN maps on the switch to all packets that are routed into or out of a VLAN or are bridged within a VLAN. VLAN maps are used strictly for security packet filtering. Unlike router ACLs, VLAN maps are not defined by direction (input or output)." This would make configuration of ACL's and providing access control at layer 2 and 3 easier. This could provide benefits not only in providing layer 2 security but also in simplifying Vlan design and saving on IP addressing (one vlan for all customers, security via VLAN Maps, port security and private vlans. Our thoughts are to deploy a 3550T as part of the 3500 stack that you already have. This would not only provide simplified management and the addition of only a single RU box, but would also provide an additional 10 Copper Gigabit ports for the addition of other servers. If you could let me know your thoughts on this, we can look at what is the best way to go forward. Thanks and Regards
On Fri, Oct 19, 2001 at 09:55:39AM +0100, James A. T. Rice <james_r-nanog@jump.org.uk> wrote:
Does anyone else here use ACL's on subinterfaces of single GigE linecards on GSRs? As of 12.0(16S), the ability to type 'ip access-group' while in the subinterface configuration was removed, leaving me stuck on 12.0(15S3).
Cisco seem to be under the impression that BBC are the only customer who used this feature, if anyone else ACL's on GigE subinterfaces, please get in touch so we can correct them.
We've been beating on them for some time over this issue. In my personal experience, you can put the ACL on the physical port - making sure of course it passes everything you want it to for _every_ vlan on that interface allowing you to filter some traffic. Basically the ACL on the physical interface seems to get applied to every subinterface. Cisco has clearly not gotten the message, so for all those Cisco people reading this I will restate it clearly: _ALL_ interfaces must support basic ACL's or we're not going to buy them from you. There is no such thing as an interface that doesn't need ACL's, no matter how much you rationalize it. A number of us are already speaking out on this issue with our $$$ taking it to vendors who understand this. You don't need 50,000 line ACL's, 37 kinds of QOS, or all that other crap on every card, but the ability to do a 10 line filter is a critical feature, and not having it is like not having a routing engine, it makes the box useless. -- Leo Bicknell - bicknell@ufp.org Systems Engineer - Internetworking Engineer - CCIE 3440 Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On Fri, 19 Oct 2001, Leo Bicknell wrote:
Cisco has clearly not gotten the message, so for all those Cisco people reading this I will restate it clearly:
_ALL_ interfaces must support basic ACL's or we're not going to buy them from you. There is no such thing as an interface that doesn't need ACL's, no matter how much you rationalize it. A number of us are already speaking out on this issue with our $$$ taking it to vendors who understand this.
You don't need 50,000 line ACL's, 37 kinds of QOS, or all that other crap on every card, but the ability to do a 10 line filter is a critical feature, and not having it is like not having a routing engine, it makes the box useless.
I have gotten the impression that GigE has very low priority at cisco. I loathe the 3GE card, it doesn't do the above either. We were going to try to trade them in for 1GE cards just because of the above (and the pitiful MTU size it supports), but now it seems that feature is going away on 1GE also. I guess I cannot use the GSR as a serious GigE platform, and now seeing the NTE prices on 10GE for the GSR and the timeframe it's going to be available, the GSR is not a viable 10GE platform either. I guess I'll get stuck with the GSRs for only border routers, for POS and SRP/DPT only, with a few GigE:s to the core which will consist of routers from other vendor(s). Quite pricy border routers if I may say so. -- Mikael Abrahamsson email: swmike@swm.pp.se
On Fri, 19 Oct 2001, Mikael Abrahamsson wrote:
I guess I cannot use the GSR as a serious GigE platform, and now seeing the NTE prices on 10GE for the GSR and the timeframe it's going to be available, the GSR is not a viable 10GE platform either.
I've been trying to figure out the same thing, while there are several other vendors very strong in L3 GigE, Cisco's strategy (if there is one) appears to be twine and bailing wire. 6500/7600 doesn't have the performance, and VLAN L3 interfaces are just too non-intuitive for me. GSR price/performance and availability is so dismal compared to other vendors, I am willing to bet on someone else and deal with any platform immaturity. Can't say my experience with GSR is so great, either, as far as stability, reliability, etc goes. Reminds me of the GFR, the number of times I have to reboot/reload... Pete.
Leo, On Fri, Oct 19, 2001 at 10:24:44AM -0400, Leo Bicknell wrote:
You don't need 50,000 line ACL's, 37 kinds of QOS, or all that other crap on every card, but the ability to do a 10 line filter is a critical feature, and not having it is like not having a routing engine, it makes the box useless.
I would argue that it should be able to minimally support up to 1k lines (but would expect a hard threshold further out so that as an operator, I don't have to think about that threshold). -ron
participants (5)
-
James A. T. Rice <james_r-nanog@jump.org.uk>
-
Leo Bicknell
-
Mikael Abrahamsson
-
Pete Kruckenberg
-
Ron da Silva