From: ccie2be (ccie2be@nyc.rr.com)
Date: Mon Apr 26 2004 - 19:12:34 GMT-3
Hey Bob,
Thanks, that's cool.
Upon further reflection I don't think my example will work as described
WITHOUT ip routing enabled or a default gateway defined.
This is because, vlan A and vlan C are in different subnets. Without a
default gateway or routing enabled, how would the switch know to "route" a
pkt from vlan C to vlan A?
If, however, the management SVI's are in the same subnet as vlan C, the same
vlan the router interfaces of rtr1 and rtr2, then everything should work
fine without a default gateway or ip routing enabled as you describe. Do
you agree?
Thanks again, I think it's starting to all come together.
Tim
----- Original Message -----
From: "Bob Sinclair" <bsin@cox.net>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Monday, April 26, 2004 5:55 PM
Subject: Re: 3550 - ip acl's on L3 port GOTCHA
> Hey Tim,
>
> Yes, it works for me. I can telnet into my 3550 from a router on another
> subnet when IP routing on the switch is disabled and it has no default
> gateway. This works because the switch will attempt an arp for any
address,
> and the directly attached router has proxy arp enabled (the default).
>
> Bob Sinclair
> CCIE #10427, CISSP, MCSE
> www.netmasterclass.net
>
> ----- Original Message -----
> From: "ccie2be" <ccie2be@nyc.rr.com>
> To: "Bob Sinclair" <bsinclair@netmasterclass.net>; "Group Study"
> <ccielab@groupstudy.com>
> Sent: Monday, April 26, 2004 4:41 PM
> Subject: Re: 3550 - ip acl's on L3 port GOTCHA
>
>
> > Hey Bob,
> >
> > I'm glad I asked you about that. I probably would have missed your 2nd
> > point otherwise.
> >
> > But, regrading your 2nd point, are you saying that if you need to telnet
> to
> > the switch (which sounds like something that could be required in the
> lab),
> > and routing is NOT enabled, you don't need a default gateway on the
> switch?
> >
> > In other words, let say this is your lab topology:
> >
> > rtr1 fa0/3---- switch1 --- trunk ---- switch 2 ----fa0/3 rtr2 and both
> > fa0/3 interfaces on rtr1 and rtr2 are in vlan C, ip addr 10.3.3.0/24.
> >
> > Let's also say that for the purpose of being able to telnet to either
> > switch, an ip address has been assigned to vlan A on both switches.
> >
> > How would this requirement be fulfilled with:
> >
> > ip routing enabled?
> >
> > ip routing disabled?
> >
> >
> > Thanks, Tim
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
> > Sent: Monday, April 26, 2004 3:59 PM
> > Subject: Re: 3550 - ip acl's on L3 port GOTCHA
> >
> >
> > > Tim,
> > >
> > > That is a good catch on the requirement to enable IP routinng in order
> for
> > a
> > > filter on L3 interface to be effective for traffic other than that
> > destined
> > > for the switch itself.
> > >
> > > A couple thoughts:
> > >
> > > 1. From what I have seen, if IP routing is not enabled, then packets
> will
> > > not be forwarded from one L3 interface to another anyway, so the
filter
> > > would not be applied or useful on that basis.
> > >
> > > 2. One down-side to enabling ip routing by default - when it is
> disabled,
> > > the switch will arp for everything, so it would not need a gateway if
> > proxy
> > > arp is enabled on a connecting router (which it is by default). In
> other
> > > words, enabling IP routing may lead to reachability problems,
requiring
> a
> > > default gateway or routing protocol, that may not otherwise be needed.
> > >
> > > The more I learn about the 3550 the more I have to learn!
> > >
> > >
> > > Bob Sinclair
> > > CCIE #10427, CISSP, MCSE
> > > www.netmasterclass.net
> > >
> > >
> > > ----- Original Message -----
> > > From: "ccie2be" <ccie2be@nyc.rr.com>
> > > To: "Bob Sinclair" <bsinclair@netmasterclass.net>; "Group Study"
> > > <ccielab@groupstudy.com>
> > > Sent: Monday, April 26, 2004 3:43 PM
> > > Subject: Re: 3550 - ip acl's on L3 port GOTCHA
> > >
> > >
> > > > Hi Bob,
> > > >
> > > > Thanks again for all your help with this stuff. When it comes to
the
> > > 3550,
> > > > I suspect yours is one of the most valuable voices to listen to.
> > > >
> > > > While going over all this acl stuff on the 3550, I came across at
> least
> > > one
> > > > potential Gotcha. And, it seems that the most prudent way of
avoiding
> > this
> > > > Gotcha in the lab is to just always enable IP Routing on the switch
> > > (unless
> > > > explicitly forbidden from doing so) . According to the
documentation,
> > if
> > > an
> > > > acl is applied to a L3 interface, it will ONLY work if the source or
> > > > destination of the pkt is the switch itself UNLESS ip routing is
> > enabled.
> > > >
> > > > Therefore, to avoid this Gotcha in the lab, I wonder what you think
of
> > > just
> > > > AUTOMATICALLY enabling IP Routing on both switches when configuring
> the
> > > > switches in the lab. Do you think this is a good idea? Would doing
> so
> > > > cause any other potential problems that you can think of?
> > > >
> > > > Thanks, Tim
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > <ccielab@groupstudy.com>
> > > > Sent: Monday, April 26, 2004 1:03 PM
> > > > Subject: Re: Correction: 3550 - ip acl's on trunks
> > > >
> > > >
> > > > > I think you have it right: an access-list applied inbound on Int
> vlan
> > X
> > > > > will filter traffic sourced from the ports in that vlan. An
> > access-list
> > > > > applied out will filter traffic destined to the ports in that
vlan.
> > > > >
> > > > > HTH,
> > > > >
> > > > > Bob Sinclair
> > > > > CCIE #10427, CISSP, MCSE
> > > > > www.netmasterclass.net
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "ccie2be" <ccie2be@nyc.rr.com>
> > > > > To: "Bob Sinclair" <bsinclair@netmasterclass.net>; "Group Study"
> > > > > <ccielab@groupstudy.com>
> > > > > Sent: Monday, April 26, 2004 12:42 PM
> > > > > Subject: Re: Correction: 3550 - ip acl's on trunks
> > > > >
> > > > >
> > > > > > Bob,
> > > > > >
> > > > > > Thanks, this is fantastic. I'm in the process of making some
> notes
> > to
> > > > > > myself to highlight the Gotcha's I need to be aware of with the
> > 3550.
> > > > > >
> > > > > > It sounds like based on what you've told me, I can conclude re:
> 3550
> > > > acl's
> > > > > >
> > > > > > 1) They work essentially the same way as they do when configured
> on
> > > > router
> > > > > > interfaces
> > > > > >
> > > > > > 2) They can applied to any type of 3550 port (L2 phy access, L3
> > routed
> > > > > > interface, trunk, phy port that's part of etherchannel, or SVI )
> the
> > > > same
> > > > > > way they would be applied to an interface on a router ie they do
> NOT
> > > > have
> > > > > to
> > > > > > be applied via the creation of the MQC ( class, policy, service)
> > > > although
> > > > > > doing it that way is OK also.
> > > > > >
> > > > > > 3) The ONE exception is that if the acl is to be applied to a
L2
> > > > access
> > > > > > port, it must be ONLY in the inbound direction.
> > > > > >
> > > > > > One last question while we're on the topic of acl's:
> > > > > >
> > > > > > Re: SVI's: Since an SVI is a logical interface, what meaning
does
> > the
> > > > > > direction (In or OUT) have as applied to a SVI? For example,
> > suppose
> > > > > this
> > > > > > is my config. And, ports fa0/1 - 3 are in vlan 30.
> > > > > >
> > > > > > access-list 3 permit 36.0.0.0
> > > > > >
> > > > > > int vlan 30
> > > > > > ip addr x.x.x.x
> > > > > > ip access-group 3 in
> > > > > >
> > > > > > Will traffic coming *in* from ports fa0/1 - 3 that isn't
> permitted
> > by
> > > > acl
> > > > > 3
> > > > > > be denied and not passed to other routed interfaces on the 3550
or
> > > will
> > > > > > traffic going in the other direction, coming in through routed
> > > > interfaces
> > > > > > and heading to svi 30 be denied? Or, does this question not
make
> > > sense?
> > > > > >
> > > > > >
> > > > > >
> > > > > > Thanks again, Tim
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > <ccielab@groupstudy.com>
> > > > > > Sent: Monday, April 26, 2004 12:04 PM
> > > > > > Subject: Re: Correction: 3550 - ip acl's on trunks
> > > > > >
> > > > > >
> > > > > > > The docs seem to use the term "etherchannel interface" to
refer
> to
> > > > > either
> > > > > > a
> > > > > > > L2 or L3 Interface Port-Channel.
> > > > > > >
> > > > > > > Also from what I can gather, a "port acl" is an access-list
> > applied
> > > > to
> > > > > a
> > > > > > > layer 2 port, whereas a "router-acl" is applied to a layer 3
> port
> > > > > (routed,
> > > > > > > L3 Po, or Int VLAN). However there are some other
differences,
> > > e.g.,
> > > > > > port
> > > > > > > acls can only be applied inbound.
> > > > > > >
> > > > > > > I have tested your config re acl on trunk, and it does seem to
> > work
> > > as
> > > > > > > advertised.
> > > > > > >
> > > > > > > I take along a Cat3550 "virtually" everywhere I go, so let me
> know
> > > if
> > > > i
> > > > > > can
> > > > > > > test something for you.
> > > > > > >
> > > > > > > HTH,
> > > > > > >
> > > > > > > Bob Sinclair
> > > > > > > CCIE #10427, CISSP, MCSE
> > > > > > > www.netmasterclass.net
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "ccie2be" <ccie2be@nyc.rr.com>
> > > > > > > To: "Group Study" <ccielab@groupstudy.com>; "Bob Sinclair"
> > > > > > > <bsinclair@netmasterclass.net>
> > > > > > > Sent: Monday, April 26, 2004 11:52 AM
> > > > > > > Subject: Re: Correction: 3550 - ip acl's on trunks
> > > > > > >
> > > > > > >
> > > > > > > > Hi Bob,
> > > > > > > >
> > > > > > > > Thanks for getting back to me. I appreciate it. Yes, I
agree
> > the
> > > > > > > > documentation is sometimes a bit confusing - at least for
me.
> > > And,
> > > > > > > > unfortunately, since I don't have ready access to a couple
of
> > > > 3550's,
> > > > > I
> > > > > > > > can't easily or quickly experiment on the switches to test
out
> > my
> > > > > > > questions.
> > > > > > > >
> > > > > > > > Just to make sure I understand what you're saying, can I
> restate
> > > > this
> > > > > as
> > > > > > > > follows?
> > > > > > > >
> > > > > > > > A "PO" refers to just a regular L2 port?
> > > > > > > >
> > > > > > > > The only distinction you're making in your 1st post when you
> say
> > > > "port
> > > > > > > acl"
> > > > > > > > vs "router acl" is the type of port, L2 vs L3?
> > > > > > > >
> > > > > > > > And, as far as acl's applied to trunk ports, you're saying
it
> > will
> > > > > work
> > > > > > > just
> > > > > > > > as if the port were a regular L2 or L3 port.
> > > > > > > >
> > > > > > > > For example, is this config OK?
> > > > > > > >
> > > > > > > > access-list 1 deny 10.0.0.0
> > > > > > > > access-list 1 permit ip any any
> > > > > > > >
> > > > > > > > int fa0/4
> > > > > > > > switchport mode trunk
> > > > > > > > access-group 1 in
> > > > > > > >
> > > > > > > > So, as a result, all traffic from 10.0.0.0 will be denied
> > > regardless
> > > > > of
> > > > > > > what
> > > > > > > > vlan the pkt rides in?
> > > > > > > >
> > > > > > > > Or, do I need to use the MQC structure and the Per_Port
> Per-Vlan
> > > > > > construct
> > > > > > > > show in the manual on page 27 34?
> > > > > > > >
> > > > > > > > Or, am I way out in left field and don't have a clue?
> > > > > > > >
> > > > > > > > Thanks, Tim
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > > > > > > > To: "Tim Last" <packtmon@yahoo.com>; "Group Study"
> > > > > > > <ccielab@groupstudy.com>
> > > > > > > > Sent: Monday, April 26, 2004 10:58 AM
> > > > > > > > Subject: Correction: 3550 - ip acl's on trunks
> > > > > > > >
> > > > > > > >
> > > > > > > > > Tim,
> > > > > > > > >
> > > > > > > > > After more further reflection, it looks like applying port
> > acls
> > > to
> > > > > > > > physical
> > > > > > > > > ports in an etherchannel is supported. What is not
> supported
> > is
> > > > > > > applying
> > > > > > > > an
> > > > > > > > > access-list to a L2 PortChannel Interface. When the docs
> > refer
> > > to
> > > > > an
> > > > > > > > > "Etherchannel interface", they appear to mean the
> PortChannel
> > > > > > Interface
> > > > > > > > (L2
> > > > > > > > > or L3), not the physical ports in the channel.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Bob Sinclair
> > > > > > > > > CCIE #10427, CISSP, MCSE
> > > > > > > > > www.netmasterclass.net
> > > > > > > > >
> > > > > > > > > ----- Original Message -----
> > > > > > > > > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > > > > > > > > To: "Tim Last" <packtmon@yahoo.com>; "Group Study"
> > > > > > > > <ccielab@groupstudy.com>
> > > > > > > > > Sent: Monday, April 26, 2004 10:43 AM
> > > > > > > > > Subject: Re: 3550 - ip acl's on trunks
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > Tim,
> > > > > > > > > >
> > > > > > > > > > The documentation says port acls are not permitted on
(L2)
> > > > > > > etherchannel
> > > > > > > > > > interfaces. Router acls are allowed on PO interfaces.
> I
> > > > would
> > > > > > take
> > > > > > > > > this
> > > > > > > > > > as sound advice, though I have found that port acls
> applied
> > to
> > > > L2
> > > > > > > > > > etherchannel interfaces are effective.
> > > > > > > > > >
> > > > > > > > > > Docs say that port acls applied to trunk ports will
filter
> > all
> > > > > vlans
> > > > > > > on
> > > > > > > > > the
> > > > > > > > > > trunk, which appears to work in practice.
> > > > > > > > > >
> > > > > > > > > > HTH,
> > > > > > > > > >
> > > > > > > > > > Bob Sinclair
> > > > > > > > > > CCIE #10427, CISSP, MCSE
> > > > > > > > > > www.netmasterclass.net
> > > > > > > > > >
> > > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: "Tim Last" <packtmon@yahoo.com>
> > > > > > > > > > To: "Group Study" <ccielab@groupstudy.com>
> > > > > > > > > > Sent: Monday, April 26, 2004 10:13 AM
> > > > > > > > > > Subject: 3550 - ip acl's on trunks
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > Hi guys,
> > > > > > > > > > >
> > > > > > > > > > > I know that standard and extended ip acl's work
without
> > any
> > > > > > > additional
> > > > > > > > > > configuration statements on regular Cat 3550 L2 access
> ports
> > > > > > (assuming
> > > > > > > > the
> > > > > > > > > > acl isn't being used for QoS purposes).
> > > > > > > > > > >
> > > > > > > > > > > Is this also true if the port is a trunk or if ports
> have
> > > been
> > > > > > > grouped
> > > > > > > > > > into an etherchannel?
> > > > > > > > > > >
> > > > > > > > > > > Also, can ip acl's be applied to SVI's?
> > > > > > > > > > >
> > > > > > > > > > > Thanks in advanced, Tim
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > ---------------------------------
> > > > > > > > > > > Do you Yahoo!?
> > > > > > > > > > > Yahoo! Photos: High-quality 4x6 digital prints for 25"
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > >
> > > > >
> > _______________________________________________________________________
> > > > > > > > > > > Please help support GroupStudy by purchasing your
study
> > > > > materials
> > > > > > > > from:
> > > > > > > > > > > http://shop.groupstudy.com
> > > > > > > > > > >
> > > > > > > > > > > Subscription information may be found at:
> > > > > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > > > > >
> > > > > > > > > >
> > > > > > >
> > > >
> _______________________________________________________________________
> > > > > > > > > > Please help support GroupStudy by purchasing your study
> > > > materials
> > > > > > > from:
> > > > > > > > > > http://shop.groupstudy.com
> > > > > > > > > >
> > > > > > > > > > Subscription information may be found at:
> > > > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > > > >
> > > > > > > > >
> > > > > >
> > >
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:55 GMT-3