FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE

From: Adam Crisp (adam.crisp@totalise.co.uk)
Date: Thu Nov 07 2002 - 12:41:32 GMT-3

• Next message: Adam Crisp: "FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE -"
• Previous message: Adam Crisp: "possible Bug on 3550, ip access-group ???"
• Next in thread: Vijay S Jayaraman: "Re: FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE"
• Maybe reply: Vijay S Jayaraman: "Re: FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE"
• Maybe reply: Adam Crisp: "RE: FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi
I notices that Cisco have, as of 24th Oct released a new IOS
version: 12.1.11.EA1a

I instal the this release, but the behavour is the same:
!
show ip interface
<...
FastEthernet0/1 is up, line protocol is up
  Inbound access list is not set
FastEthernet0/2 is administratively down, line protocol is down
  Inbound access list is 1
FastEthernet0/3 is up, line protocol is up
  Inbound access list is not set
FastEthernet0/4 is up, line protocol is up
  Inbound access list is not set
FastEthernet0/5 is down, line protocol is down
  Inbound access list is not set
FastEthernet0/6 is up, line protocol is up
  Inbound access list is not set
..>

Look I even shutdown int fast 0/2, the PC is in 0/6 - and the access list
still applies.

Assuming that this IS NOT a bug can anybody please explain how to prevent
access to the switch on selective ports. - using IP L3 infomation - ie ip
address.

HELP

Adam

-----Original Message-----
From: Adam Crisp [mailto:adam.crisp@totalise.co.uk]
Sent: 07 November 2002 15:24
To: Ccielab
Subject: possible Bug on 3550, ip access-group ???

Hi,

I think I've found a bug on the 3550, but can't find any reference to it on
CCO.

Vlan 254 on my switch supports IP hosts on the subnet 192.168.200.0 /24
I am trying to prevent access on the switch, to a PC with IP address
192.168.200.2
This PC is plugged int Fast 0/2.
According to the documentation, you can use an ip access-lists to do the
above requirement.

hence:

!
access-list 1 deny 192.168.200.2
access-list 1 permit any
!
interface FastEthernet 0/2
 switchport access vlan 254
 switchport mode access
 no ip address
 ip access-group 1 in
 spanning-tree portfast
!

This works ok.

The problem is, is that the above configuration, not only blocks access to
port fast0/2, - but to any other port on the switch

If I move my PC from 0/2 to 0/6 and 0/6 is configured like:
!
interface FastEthernet0/6
 switchport access vlan 254
 switchport mode access
 no ip address
 spanning-tree portfast
!

then the PC still cannot access the switch. If I remove the "ip access-group
1 in" command from fast 0/2 - everything is ok.

I am using the following ios release
"Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(11)EA1, "

This is the L3 feature set.

Anybody come across this?

Adam

• Next message: Adam Crisp: "FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE -"
• Previous message: Adam Crisp: "possible Bug on 3550, ip access-group ???"
• Next in thread: Vijay S Jayaraman: "Re: FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE"
• Maybe reply: Vijay S Jayaraman: "Re: FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE"
• Maybe reply: Adam Crisp: "RE: FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:54 GMT-3