Re: Correction: 3550 - ip acl's on trunks

From: Bob Sinclair (bsinclair@netmasterclass.net)
Date: Mon Apr 26 2004 - 14:03:02 GMT-3

I think you have it right: an access-list applied inbound on Int vlan X
will filter traffic sourced from the ports in that vlan. An access-list
applied out will filter traffic destined to the ports in that vlan.

HTH,

Bob Sinclair
CCIE #10427, CISSP, MCSE
www.netmasterclass.net

----- Original Message -----
From: "ccie2be" <ccie2be@nyc.rr.com>
To: "Bob Sinclair" <bsinclair@netmasterclass.net>; "Group Study"
<ccielab@groupstudy.com>
Sent: Monday, April 26, 2004 12:42 PM
Subject: Re: Correction: 3550 - ip acl's on trunks

> Bob,
>
> Thanks, this is fantastic. I'm in the process of making some notes to
> myself to highlight the Gotcha's I need to be aware of with the 3550.
>
> It sounds like based on what you've told me, I can conclude re: 3550 acl's
>
> 1) They work essentially the same way as they do when configured on router
> interfaces
>
> 2) They can applied to any type of 3550 port (L2 phy access, L3 routed
> interface, trunk, phy port that's part of etherchannel, or SVI ) the same
> way they would be applied to an interface on a router ie they do NOT have
to
> be applied via the creation of the MQC ( class, policy, service) although
> doing it that way is OK also.
>
> 3) The ONE exception is that if the acl is to be applied to a L2 access
> port, it must be ONLY in the inbound direction.
>
> One last question while we're on the topic of acl's:
>
> Re: SVI's: Since an SVI is a logical interface, what meaning does the
> direction (In or OUT) have as applied to a SVI? For example, suppose
this
> is my config. And, ports fa0/1 - 3 are in vlan 30.
>
> access-list 3 permit 36.0.0.0
>
> int vlan 30
> ip addr x.x.x.x
> ip access-group 3 in
>
> Will traffic coming *in* from ports fa0/1 - 3 that isn't permitted by acl
3
> be denied and not passed to other routed interfaces on the 3550 or will
> traffic going in the other direction, coming in through routed interfaces
> and heading to svi 30 be denied? Or, does this question not make sense?
>
>
>
> Thanks again, Tim
>
> ----- Original Message -----
> From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
> Sent: Monday, April 26, 2004 12:04 PM
> Subject: Re: Correction: 3550 - ip acl's on trunks
>
>
> > The docs seem to use the term "etherchannel interface" to refer to
either
> a
> > L2 or L3 Interface Port-Channel.
> >
> > Also from what I can gather, a "port acl" is an access-list applied to
a
> > layer 2 port, whereas a "router-acl" is applied to a layer 3 port
(routed,
> > L3 Po, or Int VLAN). However there are some other differences, e.g.,
> port
> > acls can only be applied inbound.
> >
> > I have tested your config re acl on trunk, and it does seem to work as
> > advertised.
> >
> > I take along a Cat3550 "virtually" everywhere I go, so let me know if i
> can
> > test something for you.
> >
> > HTH,
> >
> > Bob Sinclair
> > CCIE #10427, CISSP, MCSE
> > www.netmasterclass.net
> >
> > ----- Original Message -----
> > From: "ccie2be" <ccie2be@nyc.rr.com>
> > To: "Group Study" <ccielab@groupstudy.com>; "Bob Sinclair"
> > <bsinclair@netmasterclass.net>
> > Sent: Monday, April 26, 2004 11:52 AM
> > Subject: Re: Correction: 3550 - ip acl's on trunks
> >
> >
> > > Hi Bob,
> > >
> > > Thanks for getting back to me. I appreciate it. Yes, I agree the
> > > documentation is sometimes a bit confusing - at least for me. And,
> > > unfortunately, since I don't have ready access to a couple of 3550's,
I
> > > can't easily or quickly experiment on the switches to test out my
> > questions.
> > >
> > > Just to make sure I understand what you're saying, can I restate this
as
> > > follows?
> > >
> > > A "PO" refers to just a regular L2 port?
> > >
> > > The only distinction you're making in your 1st post when you say "port
> > acl"
> > > vs "router acl" is the type of port, L2 vs L3?
> > >
> > > And, as far as acl's applied to trunk ports, you're saying it will
work
> > just
> > > as if the port were a regular L2 or L3 port.
> > >
> > > For example, is this config OK?
> > >
> > > access-list 1 deny 10.0.0.0
> > > access-list 1 permit ip any any
> > >
> > > int fa0/4
> > > switchport mode trunk
> > > access-group 1 in
> > >
> > > So, as a result, all traffic from 10.0.0.0 will be denied regardless
of
> > what
> > > vlan the pkt rides in?
> > >
> > > Or, do I need to use the MQC structure and the Per_Port Per-Vlan
> construct
> > > show in the manual on page 27 34?
> > >
> > > Or, am I way out in left field and don't have a clue?
> > >
> > > Thanks, Tim
> > >
> > > ----- Original Message -----
> > > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > > To: "Tim Last" <packtmon@yahoo.com>; "Group Study"
> > <ccielab@groupstudy.com>
> > > Sent: Monday, April 26, 2004 10:58 AM
> > > Subject: Correction: 3550 - ip acl's on trunks
> > >
> > >
> > > > Tim,
> > > >
> > > > After more further reflection, it looks like applying port acls to
> > > physical
> > > > ports in an etherchannel is supported. What is not supported is
> > applying
> > > an
> > > > access-list to a L2 PortChannel Interface. When the docs refer to
an
> > > > "Etherchannel interface", they appear to mean the PortChannel
> Interface
> > > (L2
> > > > or L3), not the physical ports in the channel.
> > > >
> > > >
> > > > Bob Sinclair
> > > > CCIE #10427, CISSP, MCSE
> > > > www.netmasterclass.net
> > > >
> > > > ----- Original Message -----
> > > > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > > > To: "Tim Last" <packtmon@yahoo.com>; "Group Study"
> > > <ccielab@groupstudy.com>
> > > > Sent: Monday, April 26, 2004 10:43 AM
> > > > Subject: Re: 3550 - ip acl's on trunks
> > > >
> > > >
> > > > > Tim,
> > > > >
> > > > > The documentation says port acls are not permitted on (L2)
> > etherchannel
> > > > > interfaces. Router acls are allowed on PO interfaces. I would
> take
> > > > this
> > > > > as sound advice, though I have found that port acls applied to L2
> > > > > etherchannel interfaces are effective.
> > > > >
> > > > > Docs say that port acls applied to trunk ports will filter all
vlans
> > on
> > > > the
> > > > > trunk, which appears to work in practice.
> > > > >
> > > > > HTH,
> > > > >
> > > > > Bob Sinclair
> > > > > CCIE #10427, CISSP, MCSE
> > > > > www.netmasterclass.net
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Tim Last" <packtmon@yahoo.com>
> > > > > To: "Group Study" <ccielab@groupstudy.com>
> > > > > Sent: Monday, April 26, 2004 10:13 AM
> > > > > Subject: 3550 - ip acl's on trunks
> > > > >
> > > > >
> > > > > > Hi guys,
> > > > > >
> > > > > > I know that standard and extended ip acl's work without any
> > additional
> > > > > configuration statements on regular Cat 3550 L2 access ports
> (assuming
> > > the
> > > > > acl isn't being used for QoS purposes).
> > > > > >
> > > > > > Is this also true if the port is a trunk or if ports have been
> > grouped
> > > > > into an etherchannel?
> > > > > >
> > > > > > Also, can ip acl's be applied to SVI's?
> > > > > >
> > > > > > Thanks in advanced, Tim
> > > > > >
> > > > > >
> > > > > > ---------------------------------
> > > > > > Do you Yahoo!?
> > > > > > Yahoo! Photos: High-quality 4x6 digital prints for 25"
> > > > > >
> > > > > >
> > >

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:55 GMT-3