From: Erick B. (erickbe@yahoo.com)
Date: Thu Nov 07 2002 - 22:21:59 GMT-3
The access-group not working on the interface makes
sense, since IP is not enabled on that actual
interface. It's a switchport. Now, if you were to do a
no switchport on the port and make it a routed port
then IP access-group should work fine as IP is active
on the port.
Erick
--- Adam Crisp <adam.crisp@totalise.co.uk> wrote:
> Hi,
>
> I have received a lot of emails that say "What
> happens if you apply the
> access-lists to the vlan interface rather that the
> physical port"
>
> If the access-list is applied to the Vlan interface,
> rather that the
> pbysical interface, this denyies access to the "vlan
> management interface"
> but not other ports on the switch, which is what I
> was trying to acheive,
>
> I have "interface vlan 254" defined on the 3550,
> with the IP address
> 192.168.200.250
> There is another PC on VLAN 254, with ip address
> 192.168.200.251
> thus:
> !
> !
> interface Vlan254
> ip address 192.168.200.250 255.255.255.0
> ip access-group 1 in
> end
> !
>
> the access-group is NOT applied to port 0/6 (where
> the PC 192.168.200.2 is
> plugged in)
>
> If I ping from the pc then:
> "
> C:\Documents and Settings\Adam>ping 192.168.200.251
>
> Pinging 192.168.200.251 with 32 bytes of data:
>
> Reply from 192.168.200.251: bytes=32 time<1ms
> TTL=255
> Reply from 192.168.200.251: bytes=32 time<1ms
> TTL=255
> Reply from 192.168.200.251: bytes=32 time<1ms
> TTL=255
> Reply from 192.168.200.251: bytes=32 time<1ms
> TTL=255
>
> Ping statistics for 192.168.200.251:
> Packets: Sent = 4, Received = 4, Lost = 0 (0%
> loss),
> Approximate round trip times in milli-seconds:
> Minimum = 0ms, Maximum = 0ms, Average = 0ms
>
> C:\Documents and Settings\Adam>ping 192.168.200.250
>
> Pinging 192.168.200.250 with 32 bytes of data:
>
> Reply from 192.168.200.250: Destination net
> unreachable.
> Reply from 192.168.200.250: Destination net
> unreachable.
> Reply from 192.168.200.250: Destination net
> unreachable.
> Reply from 192.168.200.250: Destination net
> unreachable.
>
> Ping statistics for 192.168.200.250:
> Packets: Sent = 4, Received = 4, Lost = 0 (0%
> loss),
> Approximate round trip times in milli-seconds:
> Minimum = 0ms, Maximum = 0ms, Average = 0ms
>
> C:\Documents and Settings\Adam>
> "
>
>
>
> -----Original Message-----
> From: Todd.Reagan@nokia.com
> [mailto:Todd.Reagan@nokia.com]
> Sent: 07 November 2002 16:42
> To: adam.crisp@totalise.co.uk
> Subject: RE: possible Bug on 3550, ip access-group
> ??? UPDATE UPDATE -
> I'VE FOUND THE WORKAROUND!!!
>
>
> What happens if you use a vlan interface rather than
> a port on the
> switch to apply the access-list?
>
>
> Todd
>
> -----Original Message-----
> From: ext Adam Crisp
> [mailto:adam.crisp@totalise.co.uk]
> Sent: 07 November, 2002 09:50
> To: Ccielab
> Subject: FW: possible Bug on 3550, ip access-group
> ??? UPDATE UPDATE -
> I'VE FOUND THE WORKAROUND!!!
>
>
> Group,
> I am really sorry about by sending repetative emails
> on the trott - BUT
> I have found a workaround to the problem.
>
> I really do think this is a bug now.
>
> According to the documentation:
> "You can only apply one IP ACL and one MAC ACL per
> interface."
>
> Ah ha I thought!
> At the moment the PC 192.168.200.2 is plugged into
> fast 0/6 - but the
> "ip access-group 1" on fast 0/2 is also blocking on
> 0/6
>
> so, if you can only apply ONE IP ACL per interface
> then what happens if
> I apply a NEW "Permit any" access-list to fa0/6
>
> The config now look like this:
> access-list 1 deny 192.168.200.2
> access-list 1 permit any
> access-list 2 permit any
> !
> interface FastEthernet0/2
> switchport access vlan 254
> switchport mode access
> no ip address
> ip access-group 1 in
> spanning-tree portfast
> !
> interface FastEthernet0/6
> switchport access vlan 254
> switchport mode access
> no ip address
> ip access-group 2 in
> spanning-tree portfast
> !
>
>
> Guess what - it works
>
> Any comments please, I would hate to come accross
> this in the LAB!!!!
>
> cheers
>
> Adam
>
>
> -----Original Message-----
> From: Adam Crisp [mailto:adam.crisp@totalise.co.uk]
> Sent: 07 November 2002 15:42
> To: Ccielab
> Subject: FW: possible Bug on 3550, ip access-group
> ??? UPDATE UPDATE
> Importance: High
>
>
> Hi
> I notices that Cisco have, as of 24th Oct released a
> new IOS
> version: 12.1.11.EA1a
>
> I instal the this release, but the behavour is the
> same:
> !
> show ip interface
> <...
> FastEthernet0/1 is up, line protocol is up
> Inbound access list is not set
> FastEthernet0/2 is administratively down, line
> protocol is down
> Inbound access list is 1
> FastEthernet0/3 is up, line protocol is up
> Inbound access list is not set
> FastEthernet0/4 is up, line protocol is up
> Inbound access list is not set
> FastEthernet0/5 is down, line protocol is down
> Inbound access list is not set
> FastEthernet0/6 is up, line protocol is up
> Inbound access list is not set
> ..>
>
>
> Look I even shutdown int fast 0/2, the PC is in 0/6
> - and the access
> list still applies.
>
> Assuming that this IS NOT a bug can anybody please
> explain how to
> prevent access to the switch on selective ports. -
> using IP L3
> infomation - ie ip address.
>
> HELP
>
> Adam
>
> -----Original Message-----
> From: Adam Crisp [mailto:adam.crisp@totalise.co.uk]
> Sent: 07 November 2002 15:24
> To: Ccielab
> Subject: possible Bug on 3550, ip access-group ???
>
>
> Hi,
>
> I think I've found a bug on the 3550, but can't find
> any reference to it
> on CCO.
>
> Vlan 254 on my switch supports IP hosts on the
> subnet 192.168.200.0 /24
> I am trying to prevent access on the switch, to a PC
> with IP address
> 192.168.200.2 This PC is plugged int Fast 0/2.
> According to the
> documentation, you can use an ip access-lists to do
> the above
> requirement.
>
> hence:
>
> !
> access-list 1 deny 192.168.200.2
> access-list 1 permit any
> !
> interface FastEthernet 0/2
> switchport access vlan 254
> switchport mode access
> no ip address
> ip access-group 1 in
> spanning-tree portfast
> !
>
>
> This works ok.
>
> The problem is, is that the above configuration, not
> only blocks access
> to port fast0/2, - but to any other port on the
> switch
>
> If I move my PC from 0/2 to 0/6 and 0/6 is
> configured like:
> !
> interface FastEthernet0/6
> switchport access vlan 254
> switchport mode access
> no ip address
> spanning-tree portfast
> !
>
> then the PC still cannot access the switch. If I
> remove the "ip
> access-group 1 in" command from fast 0/2 -
> everything is ok.
>
> I am using the following ios release
> "Cisco Internetwork Operating System Software
> IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version
> 12.1(11)EA1, "
>
> This is the L3 feature set.
>
>
> Anybody come across this?
>
>
> Adam
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:22:55 GMT-3