From: Chuck Church (cchurch@MAGNACOM.com)
Date: Thu Nov 07 2002 - 15:33:28 GMT-3
Adam,
I'm thinking this might be due to the way the ACLs work with the
3550 architecture. Like an MSFC, it probably writes the rule to hardware,
and the rule now includes your MAC address of the PC. Try changing the MAC
address of the device when you plug it into port 6, or use a different
device, but same IP address. See if that makes a difference.
Chuck Church
CCIE #8776, MCNE, MCSE
Sr. Network Engineer
Magnacom Technologies
140 N. Rt. 303
Valley Cottage, NY 10989
845-267-4000
Hi,
I have received a lot of emails that say "What happens if you apply the
access-lists to the vlan interface rather that the physical port"
If the access-list is applied to the Vlan interface, rather that the
pbysical interface, this denyies access to the "vlan management interface"
but not other ports on the switch, which is what I was trying to acheive,
I have "interface vlan 254" defined on the 3550, with the IP address
192.168.200.250
There is another PC on VLAN 254, with ip address 192.168.200.251
thus:
!
!
interface Vlan254
ip address 192.168.200.250 255.255.255.0
ip access-group 1 in
end
!
the access-group is NOT applied to port 0/6 (where the PC 192.168.200.2 is
plugged in)
If I ping from the pc then:
"
C:\Documents and Settings\Adam>ping 192.168.200.251
Pinging 192.168.200.251 with 32 bytes of data:
Reply from 192.168.200.251: bytes=32 time<1ms TTL=255
Reply from 192.168.200.251: bytes=32 time<1ms TTL=255
Reply from 192.168.200.251: bytes=32 time<1ms TTL=255
Reply from 192.168.200.251: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.200.251:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Documents and Settings\Adam>ping 192.168.200.250
Pinging 192.168.200.250 with 32 bytes of data:
Reply from 192.168.200.250: Destination net unreachable.
Reply from 192.168.200.250: Destination net unreachable.
Reply from 192.168.200.250: Destination net unreachable.
Reply from 192.168.200.250: Destination net unreachable.
Ping statistics for 192.168.200.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Documents and Settings\Adam>
"
-----Original Message-----
From: Todd.Reagan@nokia.com <mailto:Todd.Reagan@nokia.com>
[mailto:Todd.Reagan@nokia.com]
Sent: 07 November 2002 16:42
To: adam.crisp@totalise.co.uk <mailto:adam.crisp@totalise.co.uk>
Subject: RE: possible Bug on 3550, ip access-group ??? UPDATE UPDATE -
I'VE FOUND THE WORKAROUND!!!
What happens if you use a vlan interface rather than a port on the
switch to apply the access-list?
Todd
-----Original Message-----
From: ext Adam Crisp [mailto:adam.crisp@totalise.co.uk]
Sent: 07 November, 2002 09:50
To: Ccielab
Subject: FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE -
I'VE FOUND THE WORKAROUND!!!
Group,
I am really sorry about by sending repetative emails on the trott - BUT
I have found a workaround to the problem.
I really do think this is a bug now.
According to the documentation:
"You can only apply one IP ACL and one MAC ACL per interface."
Ah ha I thought!
At the moment the PC 192.168.200.2 is plugged into fast 0/6 - but the
"ip access-group 1" on fast 0/2 is also blocking on 0/6
so, if you can only apply ONE IP ACL per interface then what happens if
I apply a NEW "Permit any" access-list to fa0/6
The config now look like this:
access-list 1 deny 192.168.200.2
access-list 1 permit any
access-list 2 permit any
!
interface FastEthernet0/2
switchport access vlan 254
switchport mode access
no ip address
ip access-group 1 in
spanning-tree portfast
!
interface FastEthernet0/6
switchport access vlan 254
switchport mode access
no ip address
ip access-group 2 in
spanning-tree portfast
!
Guess what - it works
Any comments please, I would hate to come accross this in the LAB!!!!
cheers
Adam
-----Original Message-----
From: Adam Crisp [mailto:adam.crisp@totalise.co.uk]
Sent: 07 November 2002 15:42
To: Ccielab
Subject: FW: possible Bug on 3550, ip access-group ??? UPDATE UPDATE
Importance: High
Hi
I notices that Cisco have, as of 24th Oct released a new IOS
version: 12.1.11.EA1a
I instal the this release, but the behavour is the same:
!
show ip interface
<...
FastEthernet0/1 is up, line protocol is up
Inbound access list is not set
FastEthernet0/2 is administratively down, line protocol is down
Inbound access list is 1
FastEthernet0/3 is up, line protocol is up
Inbound access list is not set
FastEthernet0/4 is up, line protocol is up
Inbound access list is not set
FastEthernet0/5 is down, line protocol is down
Inbound access list is not set
FastEthernet0/6 is up, line protocol is up
Inbound access list is not set
..>
Look I even shutdown int fast 0/2, the PC is in 0/6 - and the access
list still applies.
Assuming that this IS NOT a bug can anybody please explain how to
prevent access to the switch on selective ports. - using IP L3
infomation - ie ip address.
HELP
Adam
-----Original Message-----
From: Adam Crisp [mailto:adam.crisp@totalise.co.uk]
Sent: 07 November 2002 15:24
To: Ccielab
Subject: possible Bug on 3550, ip access-group ???
Hi,
I think I've found a bug on the 3550, but can't find any reference to it
on CCO.
Vlan 254 on my switch supports IP hosts on the subnet 192.168.200.0 /24
I am trying to prevent access on the switch, to a PC with IP address
192.168.200.2 This PC is plugged int Fast 0/2. According to the
documentation, you can use an ip access-lists to do the above
requirement.
hence:
!
access-list 1 deny 192.168.200.2
access-list 1 permit any
!
interface FastEthernet 0/2
switchport access vlan 254
switchport mode access
no ip address
ip access-group 1 in
spanning-tree portfast
!
This works ok.
The problem is, is that the above configuration, not only blocks access
to port fast0/2, - but to any other port on the switch
If I move my PC from 0/2 to 0/6 and 0/6 is configured like:
!
interface FastEthernet0/6
switchport access vlan 254
switchport mode access
no ip address
spanning-tree portfast
!
then the PC still cannot access the switch. If I remove the "ip
access-group 1 in" command from fast 0/2 - everything is ok.
I am using the following ios release
"Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(11)EA1, "
This is the L3 feature set.
Anybody come across this?
Adam
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:54 GMT-3