Cisco ACL confusion...

Hi All,
I have a couple of queries about the way ACLs work on Cisco Layer 3 switches... Namely a Cisco 6509 with IOS 12.2(18)
We have a number of VLANs running on the device and after creating a new 'Management' VLAN, we wanted to restrict access to this VLAN so only 2 out of our 20+ other VLANs could access the devices within.
Now, sounds fairly simple to me. BUT, we could only get it to work properly if we denied access form ALL 18 of ther other VLAN interfaces and not by placing a much smaller ACL at the Destination VLAN interface.
Does this make sense? Can anyone tell me if they should work the same as a PIX/Router ACL? Here is an example:
The Management VLAN is VLAN 8 with a network address of 172.17.1.0/24, the ACL is 180. Lets say we want to allow networks 172.23.80.0/24 and 172.19.0.0/16 to access the new VLAN, but NO others.
access-list 180 permit ip 172.23.80.0 0.0.0.255 172.17.1.0 0.0.0.255
access-list 180 permit ip 172.19.0.0 0.0.255.255 172.17.1.0 0.0.0.255
access-list deny ip any any
int vlan 8
ip access-group 180 in
Would this be on the right lines or am i missing something?
Many thanks

Jonathan
Think of it like this.
IN statement applies to traffic going into the interface rather than the vlan so in your example IN on vlan 8 means traffic going into the vlan 8 interface ie. traffic from vlan 8 servers.
OUT applies to traffic leaving the interface ie. traffic going out on vlan 8 interface - to the vlan 8 servers.
Hope this makes sense
Jon

Similar Messages

Cisco ACL for Wireless VLAN's

Hi all and Merry Christmas to you.
So I have been off work for a few days now playing in my lab, I have configured a number of VLAN’s to separate Data, Voice, Servers, Games Consoles and Guest on my Cisco 1142, I know it may be a bit of an over kill but it’s just me doing a bit of lab work and learning
What I’m after doing now is setting up ACL’s to deny the Guest and Games Console VLAN from accessing my LAN and I’m not sure where to start, I want to consoles only to be able to connect to PSN and Xbox networks as well as my DHCP server, and the guest network to connect to the web but again not my LAN, this is for users who come round with phones and tablets.
My lab look like this:-
Broadband > Cisco RVS4000 (soon to be ASA) > WS-C3560 > 1142 AP.
My DHCP server is on VLAN 6 with an IP address of 192.168.6.241
VLANs are: -
interface Vlan5
description *****DATA VLAN*****
ip address 192.168.5.253 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan6
description *****Servers*****
ip address 192.168.6.254 255.255.255.240
interface Vlan7
description *****VOICE*****
ip address 192.168.7.254 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan8
description *****VOICE WIFI*****
ip address 192.168.8.254 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan9
description *****WIFI CONSOLES*****
ip address 192.168.9.254 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan10
description *****WiFi Home*****
ip address 192.168.10.254 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan11
description *****WiFi Guest*****
ip address 192.168.11.254 255.255.255.240
ip helper-address 192.168.6.241
interface Vlan12
description *****Management*****
ip address 192.168.12.254 255.255.255.240
The AP config looks like:
dot11 ssid Console
   vlan 9
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 094F4107170A051103
dot11 ssid Home
   vlan 10
   authentication open eap eap_methods
   authentication network-eap eap_methods
   guest-mode
   mbssid guest-mode
interface Dot11Radio0.9
encapsulation dot1Q 9
ip helper-address 192.168.6.241
no ip route-cache
bridge-group 9
bridge-group 9 subscriber-loop-control
bridge-group 9 block-unknown-source
no bridge-group 9 source-learning
no bridge-group 9 unicast-flooding
bridge-group 9 spanning-disabled
interface Dot11Radio0.10
encapsulation dot1Q 10
ip helper-address 192.168.6.241
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface Dot11Radio0.12
encapsulation dot1Q 12 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
At the minutes I’m just trying to stop Console getting to the Home network before I move onto the rest
I have not got a clue where to start or where to place the ACL’s, would they be on the Switch or the AP itself?
Hope you can help me out.
Happy new year
Martyn

Here is a suport document in regards to autonomous ACL:
https://supportforums.cisco.com/docs/DOC-13768
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

ACL-confusion

I have gotten confused with the many posts regarding ACL
Could someone kindly tell me the Terminal code for removing the ACL on this file: (as revealed by Disk Utility)
ACL found but not expected on "Applications/Utilities/Disk Utility.app/Contents/Frameworks/DUSupport.framework/Versions/Current"
And what exact code would I use for removing the ACL from ALL the files in my Utilities folder?
Many thanks.

OK, tried what you suggested and I think it worked for my home directory, however when I run DR, I get a huge list of:
ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrinterSharin gSetUp.html".
2008-06-10 18:04:29 -0400:
ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrinterSelect iondlg.html".
2008-06-10 18:04:29 -0400:
ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrintDPOFSele ction.html".
2008-06-10 18:04:29 -0400:
ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrintDirectFr DigitalCam.html".
2008-06-10 18:04:29 -0400:
ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrintDialog.h tml".
2008-06-10 18:04:29 -0400:
ACL found but not expected on "Library/Printers/Lexmark/Drivers/Lexmark 3300 Series Help.bundle/Contents/Resources/French.lproj/Lexmark3300SeriesHelp/PrintCartridg es.html".
It goes on for over 35 minutes -- all referring to Library/Printers/*,
then it follows with:
[I did not include every line of Group differs on "Applications/System Preferences. . . ]
2008-06-10 18:05:22 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj/InfoPlist.strings", should be 0, group is 80.
2008-06-10 18:05:23 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj/Localizable.strings", should be 0, group is 80.
2008-06-10 18:05:23 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj/MainMenu.nib/keyedobjects.nib", should be 0, group is 80.
2008-06-10 18:05:23 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj/MainMenu.nib", should be 0, group is 80.
2008-06-10 18:05:23 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj/NSPrefPaneGroups.strings", should be 0, group is 80.
2008-06-10 18:05:23 -0400: Group differs on "Applications/System Preferences.app/Contents/Resources/pl.lproj", should be 0, group is 80.
2008-06-10 18:05:24 -0400: ACL missing on "Library".
2008-06-10 18:05:24 -0400: ACL found but not expected on "bin".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/ps".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/bash".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/sh".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/chmod".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/cp".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/dd".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/df".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/link".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/ln".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/ls".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/mkdir".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/mv".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/pax".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/rm".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/rmdir".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/unlink".
2008-06-10 18:05:25 -0400: ACL found but not expected on "usr/bin/cpio".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/launchctl".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/rcp".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/cat".
2008-06-10 18:05:25 -0400: ACL found but not expected on "bin/ed".
2008-06-10 18:05:25 -0400: ACL found but not expected on ".".
2008-06-10 18:05:26 -0400: Group differs on "private/etc/cups", should be 0, group is 26.
2008-06-10 18:05:27 -0400: Permissions differ on "Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool", should be -rwsr-xr-x , they are -rwsrwxr-x .
2008-06-10 18:05:27 -0400: Permissions differ on "Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy", should be -rwsr-xr-x , they are -rwsrwxr-x .
2008-06-10 18:05:30 -0400:
2008-06-10 18:05:30 -0400: Permissions repair complete
2008-06-10 18:05:30 -0400:
2008-06-10 18:05:30 -0400:
Can you tell me how to remedy this sutff? I understand about the "private/etc/cups" thing but what about all the ACL's on "bin/. . . "?
should those be there?
Can I log in as root user to change these??
Any assistance greatly appreciated.

EA6500 ... Cisco totally confused and lost track

1) After world wide bla bla announcements it was released with major delay.
2) Cisco went (back) to Broadcom chipsets again.
3) Six new firmware releases in 3 months time after the initial release, probably after the many very bad test reports.
4) Very obscure and lacking firmware release notes (in other words, they are worthless).
5) Do I need to suggest professional Company Cisco to thoroughly test products, under all possible conditions before to release it?? Poor non-wizkids who bought this "super" router.
===========================================================================
Release Date:           Nov. 10, 2012 (?)
Firmware version: 1.1.27 (build 144730)
*undocumented untill now*
===========================================================================
Release Date:           Nov. 5, 2012
Firmware version:       1.1.27 (Build 144545)
- Applies the fixes from the previous two releases (1.1.27 build 144156 and build 144027) without requiring a factory reset.
[brilliant...]
===========================================================================
Release Date:           Oct. 30, 2012
Firmware version:       1.1.27 (Build 144156)
===========================================================================
Release Date:           Oct. 27, 2012
Firmware version:       1.1.27 (Build 144027)
===========================================================================
Release Date:           Oct. 12, 2012
Firmware version:       1.1.27 (Build 142736)
===========================================================================
Release Date:           September 12, 2012
Firmware version:       1.1.27 (Build 141816)
===========================================================================
Release Date:           August 3, 2012
Firmware version:       1.1.26 (Build 140196)
- Initial release

wouterv wrote:
1) After world wide bla bla announcements it was released with major delay.
2) Cisco went (back) to Broadcom chipsets again.
3) Six new firmware releases in 3 months time after the initial release, probably after the many very bad test reports.
4) Very obscure and lacking firmware release notes (in other words, they are worthless).
5) Do I need to suggest professional Company Cisco to thoroughly test products, under all possible conditions before to release it?? Poor non-wizkids who bought this "super" router.
===========================================================================
Release Date:           Nov. 10, 2012 (?)
Firmware version: 1.1.27 (build 144730)
*undocumented untill now*
===========================================================================
Release Date:           Nov. 5, 2012
Firmware version:       1.1.27 (Build 144545)
- Applies the fixes from the previous two releases (1.1.27 build 144156 and build 144027) without requiring a factory reset.
[brilliant...]
===========================================================================
Release Date:           Oct. 30, 2012
Firmware version:       1.1.27 (Build 144156)
===========================================================================
Release Date:           Oct. 27, 2012
Firmware version:       1.1.27 (Build 144027)
===========================================================================
Release Date:           Oct. 12, 2012
Firmware version:       1.1.27 (Build 142736)
===========================================================================
Release Date:           September 12, 2012
Firmware version:       1.1.27 (Build 141816)
===========================================================================
Release Date:           August 3, 2012
Firmware version:       1.1.26 (Build 140196)
- Initial release
The "undocumented until now" version of the firmware, does your router have that firmware version already? I am positive that Cisco will be able to provide "fix" for the current issues that users bumped into using this AC router. I am not sure if it has something to do with the device being a draft n still but anyway, who knows a better firmware is on the way.

ACLs never apply to traffic generated by the router

http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4&rl=1
"Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual".
Is it (the return packet, however, will be blocked as usual) the case all the time ? if it is the case could you please explain ?

Thanks Rick,,,I need some clarification about the below scenario please:
suppose I have got R1 (one of many routers) with two interfaces serial0/0 and e0/0,,,the ip address for serial0/0 192.168.0.1/24
the ip address for e0/0 172.16.0.1/16.
R1(config)=access-list 101 deny ip any any
R1(config)#interafec serial 0/0
R1(config-if)#ip access-group out
R1(config)=access-list 150 deny ip any any
R1(config)#interafec fastethernet 0/0
R1(config-if)#ip access-group in
Now we satisfied the condition which it says: "where there is an outbound ACL and an inbound ACL and they both deny all traffic".
1- ((The inbound ACL will deny all traffic)).
This is obvious because any packet trys to enter the router R1, the ACL will check both ip addresses for the source (any) and destination (can be one of the interfaces belong to R1),,,,because it match the condition for ACL, it will be dropped.
2- ((In this case the outbound ACL can deny transit traffic, but can not deny packets generated by the router which will be transmitted)).
This first paragraph (In this case the outbound ACL can deny transit traffic) is fine,,,the second one which is : " but can not deny packets generated by the router which will be transmitted",,,,,,,my understanding is this when packets generated by router R1, these packets have got source ip address and destination ip address.
The source and destination ip addresses still matching the condition of ACL , why should't it be
denied ?

Nexus 3548 ACL Logging

"show ip access-list", IOS displays matches against each statement within the ACL and you can see counters incrementing or not, useful in troubleshooting. Nexus 3548 does not display any counters with the same command!
I must be missing something because I cannot find a logging command that will simply add hits with command "show IP access-list <name>" (Nexus 3548)
Is there an alternative?

After reading Cisco ACL docs I managed to configure and get ACL logging working fine on my lab 3548:
test# sh log ip access-list cache
Source IP        Destination IP     S-Port D-Port    Interface   Protocol          Hits
10.170.x.x    10.x.x.x        0       0         mgmt0      (6)TCP            98
Software
BIOS:      version 1.9.0
loader:    version N/A
kickstart: version 6.0(2)A4(3)
system:    version 6.0(2)A4(3)
Power Sequencer Firmware:
             Module 1: version v2.1
BIOS compile time:       10/13/2012
kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A4.3.bin
kickstart compile time: 11/21/2014 9:00:00 [11/21/2014 19:29:20]
system image file is:    bootflash:///n3500-uk9.6.0.2.A4.3.bin
system compile time:     11/21/2014 9:00:00 [11/21/2014 21:09:06]
Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")
Intel(R) Pentium(R) CPU @ 1.50GHz
with 3805876 kB of memory.
However in my other live Nexus 3548 "show log ip access-list cache" is not available from the command line with the following software version:
-n35# show log ip access-list cache
                           ^
% Invalid command at '^' marker.
Software
BIOS:      version 1.9.0
loader:    version N/A
kickstart: version 6.0(2)A1(1b)
system:    version 6.0(2)A1(1b)
Power Sequencer Firmware:
             Module 1: version v2.1
BIOS compile time:       10/13/2012
kickstart image file is: bootflash:///n3500-uk9-kickstart.6.0.2.A1.1b.bin
kickstart compile time: 9/5/2013 14:00:00 [09/05/2013 23:37:16]
system image file is:    bootflash:///n3500-uk9.6.0.2.A1.1b.bin
system compile time:     9/5/2013 14:00:00 [09/06/2013 03:25:01]
Hardware
cisco Nexus 3548 Chassis ("48x10GE Supervisor")
I've researched the command line reference and found nothing to suggest version 6.0(2)A1(1b) this OAL feature is not supported......anyways the live 3548 I can see statistics per-entry command under each ACL (these ACL's are not bound to any VLAN interfaces). show ip access-list shows no hits against any of the ACL's
My 1st question why is the OAL ACL cache is not supported on my live version?
2nd q - Why there are no hits when the statistics per-entry command is configured under each ACL when I know there are thousands of hits per minute?
NB: The ip access-group in statements are applied to the Interface port number NOT interface VLAN
example
interface Ethernet1/6
description ** hello **
ip access-group test in
switchport access vlan 885
speed 1000
no negotiate auto

How to access Access List information through SNMP?

Hi,
I wonder if it is possible to access a router's access lsit info (acl type, name, entries, stats) through SNMP.
Using the SNMP Object Navigator I have found a MIB and OIDs that should allow me to do just that:
Object
ciscoACLMIB
OID
1.3.6.1.4.1.9.9.808
MIB
CISCO-ACL-MIB ; - View Supporting Images
Description
"This MIB module defines objects that describe Cisco Access
Control Lists (ACL).
But clicking on the "Supported Images" link shows that this MIB is not supported in any IOS release? I have tested with an snmpwalk on a few routers with different IOS versions and I don't get any results:
SNMPv2-SMI::enterprises.9.9.808 = No Such Object available on this agent at this OID
Is there anyway to read the ACL info through SNMP? Can anybody explain me how to do this?
Thanks in advance.
Alberto

Hi Alberto,
Unfortunately ,it is not possible to get ACL information via SNMP.
there is an Enhancement BUG already been filed for the same.
CSCdu44167 no corresponding MIB for show access-list on a router .
Thanks-
Afroz
***Ratings Encourages Contributors ***

RVS4000 - Country Block

Is there a way to block an entire country of IP addresses? My client does not need any international traffic - but specifically would like to block China. In reference to http://www.countryipblocks.net, they can generate a list. Is there any way to import this into the RVS4000?
# Country: CHINA
# ISO Code: CN
# Total Networks: 4,036
# Total Subnets: 330,320,384
# LEGEND: Cisco ACL
If this isn't possible, then is there a way to only allow a port forward based on a domain name?

they need to also update the rsv4000 ip attack signatures and give us a way to block these ass holes im ready to black hole any and all ips from 3rd world countries for this reason alone dam ddos..

Block host to host traffic

I need to block all traffic from host to host that are on the same VLAN. But continue to reach the outside world. I am using a 2921 router. What do I need to do to achieve this?

Cisco ACLs won't help in this case. Traffic between hosts on the same VLAN is controlled entirely from the switches and APs. The routers don't ever see that, so they can't control it.
The APs from just about any vendor will be able to do client isolation, so keeping the wireless clients from talking to each other shouldn't be difficult. Wired clients are another story and will depend on the capabilities provided by the switches. If they have an equivalent to Cisco's "switchport protected" functionality, you should be able to use that.

Confused how to set-up a PC & laptop with Cisco WRVS4400N VPN for home use

Just bought a new PC and laptop and was recommended by (CDW) to use a Cisco WRVS4400N to set up the VPN.
For home use, only the PC and laptop, both running Windows 7. I use Comcast as my ISP.
The mountains of docs confuses me to no end, can anyone simplify this for me. I look at all the details and do not know where to start.
In short,
(1) configure router to recognize my PC and Comcast, and I guess the laptop.
(2) configure laptop to go wireless and communicate with PC.
Any assistance would be much appreciated.
Thanks,
Terry

For a very small office and a minimum of admin and tech know how, one approach i'd suggest is to not worry about user id collisions at all. any time anyone wants to use a mac you just set them up as a user, using consistent names/passwords.
Have a "Work" volume on each mac that has "ignore ownership on this volume" ticked. that way UID collisions aren't important.
You can make a Desktop folder on the Work volume and make a SYMBOLIC LINK from every user's home that replaces their desktop with the desktop folder on the Work volume.
Make it known that the user's home is for personal stuff ONLY, and the Work volume (inc the desktop) is where work in progress lives.
At a later date with some confidence in your network and your admin skills you could impose consistent UIDs using an OD master

Cisco media subsystem - im totally confused. Please shed light :)

I have been googling on Cisco Media subsystem. Everywhere I see the below statement.
Cisco Media
Configures Cisco Media Termination (CMT) dialog control groups, which can be used to handle simple Dual Tone Multifrequency (DTMF)-based dialog interactions with customers
Im confused. What exactly is the role of this subsystem.
- In call control group configuration, I see that there is an option to enable it or not. So Im assuming that it is not mandatory to configure it.
a) So in my script If I have a menu step, obv we use DTMF to make the seletion in menu step. So does CMT dialogue channels come into play in that part? What exactly is the role of this subsystem.
b) When i use another applications like MRTS or TTS, does this media subsystem has any role?
c) What are the scenarios in which this subsystem kick in. What is the role. When all can i disable the Media Termination support in CC group.
Please give me a detailed description. Cisco documents are just beating around the bush. Your help will be highly appreciated.

Hi Nirmal,
Nirmal Issac wrote:I have been googling on Cisco Media subsystem. Everywhere I see the below statement.
Cisco Media
Configures Cisco Media Termination (CMT) dialog control groups, which can be used to handle simple Dual Tone Multifrequency (DTMF)-based dialog interactions with customers
Have you read the UCCX Admin Guide section on this topic? It does a pretty decent job of explaining it.
Your assumption here is incorrect. The radio button simply indicates whether or not you want a new CMG to be created to match up with (I.e., have the same number of channels as there are ports) this CCG. A "yes" means it will create it, and a "no" means it will not. Regardless of what you select here, the CMG is actually assigned to the Triggers, and will always default to the Default CMG. It's always a good practice to select no here, and then define your own CMG with a 10% overhead. The reason why is explained in the Admin Guide link provided above.
Nirmal Issac wrote:a) So in my script If I have a menu step, obv we use DTMF to make the seletion in menu step. So does CMT dialogue channels come into play in that part? What exactly is the role of this subsystem.
Correct. It's role is explained in the Admin Guide link above.
Nirmal Issac wrote:b) When i use another applications like MRTS or TTS, does this media subsystem has any role?
Yes. You would create a new CMG for thos applications, and you do not want to assign them to every trigger. Only those who need it. The reason is, an ASR license is consumed for the duration of the call using that CMG. TTS on the other hand releases the license as soon as the Prompt has finished playing.
Nirmal Issac wrote:c) What are the scenarios in which this subsystem kick in. What is the role. When all can i disable the Media Termination support in CC group.
It kicks in for every call to your JTAPI triggers. HTTP triggers on the other hand do not need CMG's. You cannot disable the support of CMG in the CCG. This goes back to your misunderstanding of the Yes/No radio button in the CCG configuration. Also, you cannot have a trigger with 0 CMG's configured. The AppAdmin page will throw an error telling you that you need atleast one. Therefore, you cannot use UCCX inbound JTAPI triggers without a CMG. They are a requirement.
Nirmal Issac wrote:Please give me a detailed description. Cisco documents are just beating around the bush. Your help will be highly appreciated.
This is laid out quite nicely in the Admin Guide link provided above.
In summary: CMG's are for media termination support (E.g., DTMF reception [I.e., Get Digit String Step] and transmission [I.e., Send Digits Step]) for your JTAPI triggers. You should always manually create a corresponding CMG for your CCG's, and with 10% more channels than your CCG has in ports. E.g., CCG has 100 ports, your CMG should have 110 channels. Configuring which CMG your Trigger uses is an extra step: click Show More, remove the Default, Add the new, click save.
Anthony Holloway
Please use the star ratings to help drive great content to the top of searches.

Cisco prime license confusion

Hi I have installed cisco prime 1.2 to manage router, AP, controller, switch and ISE
and I am confused wiht license
I have this 3 item
1. L-PILMS42-100
2. L-PINCSW11-100
3. L-PINCS11-100
I have already genereted and added item 3 on prime and it work
I gererated item 1 but I cannont add it on cisco prime, he dont reconnize the file
I am unnable to add my ISE on cisco prime
Do I need special licence fro ISE
Do I need to add the 3 license
Please advise

Do you want to use Prime Infrastructure or Prime LMS to manage the Catalyst 2960 switches? In either case it is possible - simply add the devices manually or discover them. Procedure for PI is here. Procedure for LMS is here.
The ISE appliances are not manageable in any but the most basic sense as they are not a supported Cisco device (for either Prime Infrastructure or Prime LMS) and will be seen the same as a generic non-Cisco deivce. i.e., only SNMP polling and traps (and, with LMS, potentially syslog data).

ACL's ON Cisco 1841 Router

Can you let me know what is the maximum no of ACL's that can be configured on Cisco 1841 router ?

Hmm I don't know if such metric is available out there. Perhaps a call/case with Cisco TAC would help! How many ACLs and ACEs do you need/plan to configure?
Thank you for rating helpful posts!

ACL processing in Cisco 3845

Hi,
I would like to know that ACL processing in Cisco 3845 is hardware based or software based?
May I have a list of hardware that support dedicated ASIC for ACL processing?
Thanks and Regards,
Ahmed Shahzad.

Hi,
I would like to know that ACL processing in Cisco 3845 is hardware based or software based?
May I have a list of hardware that support dedicated ASIC for ACL processing?
Thanks and Regards,
Ahmed Shahzad.
Ahmed,
ACL processing is primarily accomplished in hardware, but requires forwarding of some traffic flows to the CPU for software processing. The forwarding rate for software-forwarded traffic is substantially less than for hardware-forwarded traffic. When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be done by software. Because of the difference in packet handling capacity between hardware and software, if the sum of all flows being logged (both permitted flows and denied flows) is of great enough bandwidth, not all of the packets that are forwarded can be logged.
These factors can cause packets to be sent to the CPU:
•Using the log keyword
•Enabling ICMP unreachables
•Hardware reaching its capacity to store ACL configurations
If ACLs cause large numbers of packets to be sent to the CPU, the switch performance can be negatively affected.
Hope to Help !!
Ganesh.H
Remember to rate the helpful post

ACL based Forwarding in Cisco 12000

I have Cisco 12000 router running on XR 4.1.1 where i need to do below configuration.
track up_01
type rtr 103 reachability
track up_02
type rtr 113 reachability
track down_01
type rtr 104 reachability
track down_02
type rtr 114 reachability
ipv4 access-list DOWN
100 permit tcp any eq www any nexthop track down_02 1.1.1.2
110 permit tcp any gt 1044 any nexthop track down_02 1.1.1.2
200 permit tcp any eq www any nexthop track down_01 1.1.2.2
210 permit tcp any gt 1044 any nexthop track down_01 1.1.2.2
500 permit ipv4 any any
ipv4 access-list UP
100 permit tcp any any eq www nexthop track up_02 1.1.3.2
110 permit tcp any any gt 1044 nexthop track up_02 1.1.3.2
200 permit tcp any any eq www nexthop track up_01 1.1.4.2
210 permit tcp any any gt 1044 nexthop track up_01 1.1.4.2
500 permit ipv4 any any
interface x/x/x
description **UPLINK**
ipv4 address a.a.a.a b.b.b.b
bundle minimum-active links 1
load-interval 30
ipv4 access-group DOWN ingress
Issue is that i can not use NextHop option in ACL, Seems that is not available in XR 4.1.1
I found different opinion in http://www.cisco.com/c/en/us/td/docs/routers/xr12000/software/xr12k_r4-2/addr_serv/command/reference/b_ipaddr_cr42xr12k/b_ipaddr_cr42xr12k_chapter_01.html#wp5137027590
Do anyone have suggestion to do this config or any alternate configuration

hi there,
yeah you need PBR or ABF for this configlet you're showing.
dont believe that the GSR has that capability in that release.
If I see it right, then you need minimally 420+ for this functionality.
But also pay attention to the engine type cards you have, because there is likely a dependency there also.
xander

Cisco ACL confusion...

Similar Messages

Maybe you are looking for