It may not be the syntax of your ACL's at all. Are you using MLS to do L3
switching with the 6509? If you are then you need the Policy Feature Card
(PFC) on your Sup blade.
It works like this: A packet hits the switch which records the destination
IP address in the CAM table and forwards it to the router.(it records more
but not important here) The router applies any policy, strips the old
destination MAC address (it's own) and replaces it with the next hop
router's(or destination’s) and sends it back to the switch. If this
packet was for one of the denied www servers it would be dropped. If it is
forwarded, the switch compares the destination IP with those in its CAM
table. If it finds the original listing (hasn't timed out) it will add the
current destination MAC address of the packet. When the next packet to that
destination IP hits the switch it will do a lookup, find an associated MAC
address, and merrily rewrite the header and send the packet on it's way
without consulting the router.
Here's the problem: This works fine for L3 switching. To do L4 security,
however, you need the PFC. With the "set mls flow full" command the switch
will also record the protocol & port, but without the PFC its only good for
accounting.
Solution: Buy a PFC and use IP-flow mask or turn off multi-layer switching
and route every packet.
read more at:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_3/msfc/acc_list.htm
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=17707&t=17695
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
