From: ccie2be (ccie2be@nyc.rr.com)
Date: Mon Apr 26 2004 - 12:52:00 GMT-3
Hi Bob,
Thanks for getting back to me. I appreciate it. Yes, I agree the
documentation is sometimes a bit confusing - at least for me. And,
unfortunately, since I don't have ready access to a couple of 3550's, I
can't easily or quickly experiment on the switches to test out my questions.
Just to make sure I understand what you're saying, can I restate this as
follows?
A "PO" refers to just a regular L2 port?
The only distinction you're making in your 1st post when you say "port acl"
vs "router acl" is the type of port, L2 vs L3?
And, as far as acl's applied to trunk ports, you're saying it will work just
as if the port were a regular L2 or L3 port.
For example, is this config OK?
access-list 1 deny 10.0.0.0
access-list 1 permit ip any any
int fa0/4
switchport mode trunk
access-group 1 in
So, as a result, all traffic from 10.0.0.0 will be denied regardless of what
vlan the pkt rides in?
Or, do I need to use the MQC structure and the Per_Port Per-Vlan construct
show in the manual on page 27 34?
Or, am I way out in left field and don't have a clue?
Thanks, Tim
----- Original Message -----
From: "Bob Sinclair" <bsinclair@netmasterclass.net>
To: "Tim Last" <packtmon@yahoo.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Monday, April 26, 2004 10:58 AM
Subject: Correction: 3550 - ip acl's on trunks
> Tim,
>
> After more further reflection, it looks like applying port acls to
physical
> ports in an etherchannel is supported. What is not supported is applying
an
> access-list to a L2 PortChannel Interface. When the docs refer to an
> "Etherchannel interface", they appear to mean the PortChannel Interface
(L2
> or L3), not the physical ports in the channel.
>
>
> Bob Sinclair
> CCIE #10427, CISSP, MCSE
> www.netmasterclass.net
>
> ----- Original Message -----
> From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> To: "Tim Last" <packtmon@yahoo.com>; "Group Study"
<ccielab@groupstudy.com>
> Sent: Monday, April 26, 2004 10:43 AM
> Subject: Re: 3550 - ip acl's on trunks
>
>
> > Tim,
> >
> > The documentation says port acls are not permitted on (L2) etherchannel
> > interfaces. Router acls are allowed on PO interfaces. I would take
> this
> > as sound advice, though I have found that port acls applied to L2
> > etherchannel interfaces are effective.
> >
> > Docs say that port acls applied to trunk ports will filter all vlans on
> the
> > trunk, which appears to work in practice.
> >
> > HTH,
> >
> > Bob Sinclair
> > CCIE #10427, CISSP, MCSE
> > www.netmasterclass.net
> >
> > ----- Original Message -----
> > From: "Tim Last" <packtmon@yahoo.com>
> > To: "Group Study" <ccielab@groupstudy.com>
> > Sent: Monday, April 26, 2004 10:13 AM
> > Subject: 3550 - ip acl's on trunks
> >
> >
> > > Hi guys,
> > >
> > > I know that standard and extended ip acl's work without any additional
> > configuration statements on regular Cat 3550 L2 access ports (assuming
the
> > acl isn't being used for QoS purposes).
> > >
> > > Is this also true if the port is a trunk or if ports have been grouped
> > into an etherchannel?
> > >
> > > Also, can ip acl's be applied to SVI's?
> > >
> > > Thanks in advanced, Tim
> > >
> > >
> > > ---------------------------------
> > > Do you Yahoo!?
> > > Yahoo! Photos: High-quality 4x6 digital prints for 25"
> > >
> > >
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:55 GMT-3