From: Justin Menga (Justin.Menga@xxxxxxxxxxxxxx)
Date: Tue Aug 06 2002 - 19:27:01 GMT-3
Hi,
You need a switch with some intelligence to do this. The bridging software
on IOS is very limited.
A Catalyst 2950 with the EI image should do - you can apply Layer 3/4 ACLs
inbound to a port, so you implement block as follows:
access-list 100 deny udp any any eq 67
access-list 100 deny udp any any eq 68
access-list 100 permit ip any any
interface fa0/1
ip access-group 100 in
The 2950 has limitations, in that you must use the same wildcard mask for
every ACE (e.g. you can't mix a permit host ACE with a permit any ACE) and
you also can't do TCP or UDP port ranges.
On the Catalyst 3550, you can use a feature similar to VLAN ACLs on the
Catalyst 6500, where you filter Layer 3/4 traffic inbound to a VLAN,
regardless of physical port.
Regards,
Justin
-----Original Message-----
From: Wright, Jeremy [mailto:JA_WRIGHT@admworld.com]
Sent: Wednesday, August 07, 2002 8:10 AM
To: 'ccielab@groupstudy.com'
Cc: 'security@groupstudy.com'
Subject: OT: Bridging On 3640
I have a 3640 with fa1/0 and fa1/1. i want to bridge everything through
except packets destin for port 67 and 68. im running into trouble with
making the right bridging commands as well as the acl. tia team!
************************
Jeremy Wright
Network Analyst
Archer Daniels Midland
ja_wright@admworld.com
(217)451-4063
************************
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:18 GMT-3