Does anyone else here use ACL's on subinterfaces of single GigE linecards
on GSRs? As of 12.0(16S), the ability to type 'ip access-group' while in
the subinterface configuration was removed, leaving me stuck on
12.0(15S3).
Cisco seem to be under the impression that BBC are the only customer who
used this feature, if anyone else ACL's on GigE subinterfaces, please get
in touch so we can correct them.
Apparently the feature was never supported as it was never documented. To
me, hitting '?' in the config and seeing the option there, counts as
documentation. I guess we should all throughly check the IOS command
reference guides before we use any commands on ciscos, in case theyre
unsupported. I wonder what they'll remove next, I've not yet checked to
see if "ip routing" is a supported command!
The other excuse for removing it was because 'it wasnt line rate'. This
doesnt bother me - I'd never expected the GigE cards to be line rate
anyway. Theyre now suggesting buy 35xxT switches and use them for layer 3
filtering. Below is the email, names removed to protect the guilty.
We've been beating on them for some time over this issue. In my
personal experience, you can put the ACL on the physical port -
making sure of course it passes everything you want it to for
_every_ vlan on that interface allowing you to filter some traffic.
Basically the ACL on the physical interface seems to get applied
to every subinterface.
Cisco has clearly not gotten the message, so for all those Cisco
people reading this I will restate it clearly:
_ALL_ interfaces must support basic ACL's or we're not going to
buy them from you. There is no such thing as an interface that
doesn't need ACL's, no matter how much you rationalize it. A number
of us are already speaking out on this issue with our $$$ taking
it to vendors who understand this.
You don't need 50,000 line ACL's, 37 kinds of QOS, or all that
other crap on every card, but the ability to do a 10 line filter
is a critical feature, and not having it is like not having a
routing engine, it makes the box useless.
I have gotten the impression that GigE has very low priority at cisco. I
loathe the 3GE card, it doesn't do the above either. We were going to try
to trade them in for 1GE cards just because of the above (and the pitiful
MTU size it supports), but now it seems that feature is going away on 1GE
also.
I guess I cannot use the GSR as a serious GigE platform, and now seeing
the NTE prices on 10GE for the GSR and the timeframe it's going to be
available, the GSR is not a viable 10GE platform either.
I guess I'll get stuck with the GSRs for only border routers, for POS and
SRP/DPT only, with a few GigE:s to the core which will consist of routers
from other vendor(s). Quite pricy border routers if I may say so.
I've been trying to figure out the same thing, while there
are several other vendors very strong in L3 GigE, Cisco's
strategy (if there is one) appears to be twine and bailing
wire.
6500/7600 doesn't have the performance, and VLAN L3
interfaces are just too non-intuitive for me. GSR
price/performance and availability is so dismal compared to
other vendors, I am willing to bet on someone else and deal
with any platform immaturity. Can't say my experience with
GSR is so great, either, as far as stability, reliability,
etc goes. Reminds me of the GFR, the number of times I have
to reboot/reload...
Pete.