From: Kenneth Wygand (KWygand@customonline.com)
Date: Wed Apr 21 2004 - 12:49:22 GMT-3
Tim,
Just gave this a shot on 3550-48 EMI running 12.1(14)EA1a and it works
like a charm. No problem with the access list affecting other ports,
and it works at layer 3 even though the ports are nailed down as
"switchport mode access". The only strange thing is that I added the
"log" attribute to the access list, and it does not log any packets, but
it works exactly as it should. It didn't even log the first packet.
Strange.
Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
Network+, A+
Custom Computer Specialists, Inc.
"The only unattainable goal is the one not attempted."
-Anonymous
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tim Last
Sent: Wednesday, April 21, 2004 10:48 AM
To: R&S Groupstudy; Group Study
Subject: RE: 3550 Layer 3 access-lists applied to layer 2 ports
Hey Adam,
That's great info. Thanks for getting back to me. Hopefully, some kind
and knowledgable GS member will let us know if that restriction (about
all the other ports still applies or if it was a bug that's been fixed).
I appreciate the feedback. Thanks, Tim
R&S Groupstudy <rsg@synergy-networking.co.uk> wrote:
Hi Tim.
I had a play with the a while back.
It works, but I found you need to put an access-group statement on all
interfaces, otherwise a deny any any rule seamed to be applied to every
other interface. I think this was a bug.
For example if you wanted to apply access-list 101 to fast0/1, I had to
also
apply access-list 102 to all other interfaces, where access-list 102 =
permit ip any any
As far as how the switch achieves this function, I imagine it looks as
the
L3 header. It is L3 aware after all. The switch will perform it's
switching
function at L2, but it now has the ability to drop frames based on L3
information.
I do not think you need to configure any other switching parameter,.
I think this is a great feature, and it is superb for filtering at L2
and L3
simultaneously
Adam
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Tim Last
Sent: 21 April 2004 15:06
To: Group Study
Subject: 3550 Layer 3 access-lists applied to layer 2 ports
Hi all,
The 3550 documentation seems to imply that it's OK to apply an
access-list
which looks at layer 3 or higher layer info inside the frame ( for
example,
mark all ip pkts from ip addr x with ip prec y) and apply it to layer 2
port
( vs a routed port).
1) Am I interpreting the documentation correctly ie there's no problem
with
doing that?
2) If that's OK, how does that work? Isn't it true that Ethernet
switches,
in general, only look at MAC headers and based on mac addresses make
their
switching decision?
3) Are there any restrictions or limitations in doing this? Can I create
any access-list that would work on a routed interface, apply it to 3550
layer 2 port and expect that it will work?
4) For this to work, do I need to configure anything on the 3550 in
addition
to the commands that create the access-list and apply it to port? For
example, mls qos?
Maybe someone can explain what's going on here.
Thanks in advance, Tim
---------------------------------
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25"
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:51 GMT-3