From: Jeff K (Jeffbk@austin.rr.com)
Date: Thu Nov 14 2002 - 19:56:32 GMT-3
Was that an existing access-list that you were adding an entry to or was it
a fresh list?
If it was a fresh list and you had bound it to the interface before actually
creating it (i.e., inputting your 'IP access-group 100 in' command before
creating the list itself), then the router was initially not filtering at
all. Remember, if you use the access-group command to bind a non-existing
list to the interface, it is basically a permit all until you create the
first entry in that list. Once you created that access-list 100 statement,
the router began processing it immediately, meaning you had a one-line ACL
that was denying icmp followed by the implicit deny all. In other words,
you were blocking all traffic. Work on the ACL first, then bind to the
interface. Even when you cut and paste, you won't get the whole thing in
there by the time the router begins processing (unless that is your first
permit statement). Well, it's been a long day -- hopefully the way I wrote
that makes sense. lol
-Jeff
----- Original Message -----
From: "Jeongwoo Park" <jpark@wams.com>
To: <ccielab@groupstudy.com>
Sent: Thursday, November 14, 2002 4:02 PM
Subject: Took network down with wrong access-list
> Hi all.
> I like to share what I did this morning to take an internet connection
down
> for one of customers' companies.
>
> Internet_router#
>
> Interface s0
> Ip access-group 100 in
> .
> .
> .
> access-list 100 deny icmp any host 172.16.1.10 echo
>
>
> I was tring to set up access-list in a way that no one can ping one of
their
> servers in their network.
> This config took their internet connection down.
> I immediately removed it, and it came back normal.
>
> What did I wrong?
>
> Thanks,
>
> JP
This archive was generated by hypermail 2.1.4 : Tue Dec 03 2002 - 07:23:00 GMT-3