From: gwp@uaes.org
Date: Thu Apr 10 2003 - 00:49:43 GMT-3
Hello, group. I know that you can only apply a Layer 3 ACL as INBOUND on a
Layer 2 switch port, but my question is if that direction works any
differently than when you're doing a ACLs on Router interfaces, case in
point...
I've got a web server on Switch port FastEthernet 0/5. I want to restrict
access to its web pages to ONLY devices in the 150.50.0.0 /16 network. Say
the web server is on the 192.168.35.0 /24 network. Given the restriction
that the ACL can only be applied INBOUND, I would think I need to block the
RETURN traffic coming from the Web Server INTO that port (fa 0/5),
So my ACL would be...
access-list 135 permit tcp any eq www 150.50.0.0 0.0.255.255
The OTHER option is obviously...
access-list 136 permit tcp 150.50.0.0 0.0.255.255 any eq www
But that would seem to restrict traffic going OUT of that port (fa 0/5)
towards the web server (and CCO says you CAN'T apply a L3 ACL outbound to a
L2 port/interface).
Am I missing something, or am I correct in assuming that this web server
will be dealing with a bunch of half-open connections (since its return
traffic is what's actually getting filtered, and not the initial packet
with a destination TCP port of 80), and that's the ONLY way to do this
(with the restriction of using L3 ACL, and L2 port/interface)?
In other words, will the second ACL (136) only serve to block ALL IP
traffic (since there will never be traffic with a source IP in the
150.50.0.0 range, and that ACL would have to be applied inbound).
Any assistance would be appreciated (in particular if someone could mock it
up in the lab, say using telnet instead of web traffic - I don't have a
3550 or I'd do it myself).
Thank you,
Greg Posey Jr.
CCIE #7981
CSS1, CCSE
M.S. EE
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:50 GMT-3