Re: Correction: 3550 - ip acl's on trunks

From: Bob Sinclair (bsinclair@netmasterclass.net)
Date: Mon Apr 26 2004 - 13:04:52 GMT-3

• Next message: Charles T. Alexander: "Re: Etherchannel on 3550 and 3500XL"
• Previous message: ccie2be: "Re: Correction: 3550 - ip acl's on trunks"
• Maybe in reply to: Bob Sinclair: "Correction: 3550 - ip acl's on trunks"
• Next in thread: ccie2be: "Re: Correction: 3550 - ip acl's on trunks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The docs seem to use the term "etherchannel interface" to refer to either a
L2 or L3 Interface Port-Channel.

Also from what I can gather, a "port acl" is an access-list applied to a
layer 2 port, whereas a "router-acl" is applied to a layer 3 port (routed,
L3 Po, or Int VLAN). However there are some other differences, e.g., port
acls can only be applied inbound.

I have tested your config re acl on trunk, and it does seem to work as
advertised.

I take along a Cat3550 "virtually" everywhere I go, so let me know if i can
test something for you.

HTH,

Bob Sinclair
CCIE #10427, CISSP, MCSE
www.netmasterclass.net

----- Original Message -----
From: "ccie2be" <ccie2be@nyc.rr.com>
To: "Group Study" <ccielab@groupstudy.com>; "Bob Sinclair"
<bsinclair@netmasterclass.net>
Sent: Monday, April 26, 2004 11:52 AM
Subject: Re: Correction: 3550 - ip acl's on trunks

> Hi Bob,
>
> Thanks for getting back to me. I appreciate it. Yes, I agree the
> documentation is sometimes a bit confusing - at least for me. And,
> unfortunately, since I don't have ready access to a couple of 3550's, I
> can't easily or quickly experiment on the switches to test out my
questions.
>
> Just to make sure I understand what you're saying, can I restate this as
> follows?
>
> A "PO" refers to just a regular L2 port?
>
> The only distinction you're making in your 1st post when you say "port
acl"
> vs "router acl" is the type of port, L2 vs L3?
>
> And, as far as acl's applied to trunk ports, you're saying it will work
just
> as if the port were a regular L2 or L3 port.
>
> For example, is this config OK?
>
> access-list 1 deny 10.0.0.0
> access-list 1 permit ip any any
>
> int fa0/4
> switchport mode trunk
> access-group 1 in
>
> So, as a result, all traffic from 10.0.0.0 will be denied regardless of
what
> vlan the pkt rides in?
>
> Or, do I need to use the MQC structure and the Per_Port Per-Vlan construct
> show in the manual on page 27 34?
>
> Or, am I way out in left field and don't have a clue?
>
> Thanks, Tim
>
> ----- Original Message -----
> From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> To: "Tim Last" <packtmon@yahoo.com>; "Group Study"
<ccielab@groupstudy.com>
> Sent: Monday, April 26, 2004 10:58 AM
> Subject: Correction: 3550 - ip acl's on trunks
>
>
> > Tim,
> >
> > After more further reflection, it looks like applying port acls to
> physical
> > ports in an etherchannel is supported. What is not supported is
applying
> an
> > access-list to a L2 PortChannel Interface. When the docs refer to an
> > "Etherchannel interface", they appear to mean the PortChannel Interface
> (L2
> > or L3), not the physical ports in the channel.
> >
> >
> > Bob Sinclair
> > CCIE #10427, CISSP, MCSE
> > www.netmasterclass.net
> >
> > ----- Original Message -----
> > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > To: "Tim Last" <packtmon@yahoo.com>; "Group Study"
> <ccielab@groupstudy.com>
> > Sent: Monday, April 26, 2004 10:43 AM
> > Subject: Re: 3550 - ip acl's on trunks
> >
> >
> > > Tim,
> > >
> > > The documentation says port acls are not permitted on (L2)
etherchannel
> > > interfaces. Router acls are allowed on PO interfaces. I would take
> > this
> > > as sound advice, though I have found that port acls applied to L2
> > > etherchannel interfaces are effective.
> > >
> > > Docs say that port acls applied to trunk ports will filter all vlans
on
> > the
> > > trunk, which appears to work in practice.
> > >
> > > HTH,
> > >
> > > Bob Sinclair
> > > CCIE #10427, CISSP, MCSE
> > > www.netmasterclass.net
> > >
> > > ----- Original Message -----
> > > From: "Tim Last" <packtmon@yahoo.com>
> > > To: "Group Study" <ccielab@groupstudy.com>
> > > Sent: Monday, April 26, 2004 10:13 AM
> > > Subject: 3550 - ip acl's on trunks
> > >
> > >
> > > > Hi guys,
> > > >
> > > > I know that standard and extended ip acl's work without any
additional
> > > configuration statements on regular Cat 3550 L2 access ports (assuming
> the
> > > acl isn't being used for QoS purposes).
> > > >
> > > > Is this also true if the port is a trunk or if ports have been
grouped
> > > into an etherchannel?
> > > >
> > > > Also, can ip acl's be applied to SVI's?
> > > >
> > > > Thanks in advanced, Tim
> > > >
> > > >
> > > > ---------------------------------
> > > > Do you Yahoo!?
> > > > Yahoo! Photos: High-quality 4x6 digital prints for 25"
> > > >
> > > >
> _______________________________________________________________________
> > > > Please help support GroupStudy by purchasing your study materials
> from:
> > > > http://shop.groupstudy.com
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >

• Next message: Charles T. Alexander: "Re: Etherchannel on 3550 and 3500XL"
• Previous message: ccie2be: "Re: Correction: 3550 - ip acl's on trunks"
• Maybe in reply to: Bob Sinclair: "Correction: 3550 - ip acl's on trunks"
• Next in thread: ccie2be: "Re: Correction: 3550 - ip acl's on trunks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:55 GMT-3