From: Richard Dumoulin (richard.dumoulin@vanco.es)
Date: Tue Apr 27 2004 - 17:58:19 GMT-3
Yes this is of great help. Also I am not sure why Cisco is complicating
matters in such a way, they are also less and less logical ...
-----Original Message-----
From: Bob Sinclair [mailto:bsin@cox.net]
Sent: martes, 27 de abril de 2004 17:29
To: ccie2be; Group Study
Subject: Re: Correction: 3550 - acl's on Etherchannels
Tim,
I think it is generally true that you will want to make config changes to
the PortChannel interface, rather than the physical ports. But port acls
appear to be an exception. When I apply port acls to all of the L2 ports in
an L2 etherchannel it is effective. If I try to apply it to the L2
PortChannel, I get an error.
When I create a L3 PortChannel and apply router acls to the physical ports,
the switch takes the access-group commands, but they are not effective. The
router acl is only effective when I apply it to the L3 Po interface.
Does that help?
Bob Sinclair
CCIE #10427, CISSP, MCSE
www.netmasterclass.
----- Original Message -----
From: "ccie2be" <ccie2be@nyc.rr.com>
To: "Bob Sinclair" <bsinclair@netmasterclass.net>; "Group Study"
<ccielab@groupstudy.com>
Sent: Tuesday, April 27, 2004 8:28 AM
Subject: Re: Correction: 3550 - acl's on Etherchannels
> Hey Bob,
>
> I'm trying to nail down my facts on this and the 3550 config guide
> isn't 100% clear, so maybe you can verify what the rules are regarding
> how acl's should be applied to Etherchannels. My take from the config
> guide is that if something should affect all traffic on all links in
> an etherchannel,
that
> something, acl's for example, should be applied at the port channel
> level, not the physical port. Do you agree with this?
>
> Also, is the above true regardless of what type of Etherchannel is
> configured? L2 Etherchannel? L2 Etherchannel trunk? L3 Etherchannel?
>
> Does this mean an acl applied to all ports in an Etherchannel will NOT
work?
>
> Thanks, Tim
>
>
> ----- Original Message -----
> From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
> Sent: Monday, April 26, 2004 1:03 PM
> Subject: Re: Correction: 3550 - ip acl's on trunks
>
>
> > I think you have it right: an access-list applied inbound on Int
> > vlan X will filter traffic sourced from the ports in that vlan. An
> > access-list applied out will filter traffic destined to the ports in
> > that vlan.
> >
> > HTH,
> >
> > Bob Sinclair
> > CCIE #10427, CISSP, MCSE
> > www.netmasterclass.net
> >
> > ----- Original Message -----
> > From: "ccie2be" <ccie2be@nyc.rr.com>
> > To: "Bob Sinclair" <bsinclair@netmasterclass.net>; "Group Study"
> > <ccielab@groupstudy.com>
> > Sent: Monday, April 26, 2004 12:42 PM
> > Subject: Re: Correction: 3550 - ip acl's on trunks
> >
> >
> > > Bob,
> > >
> > > Thanks, this is fantastic. I'm in the process of making some
> > > notes to myself to highlight the Gotcha's I need to be aware of
> > > with the 3550.
> > >
> > > It sounds like based on what you've told me, I can conclude re:
> > > 3550
> acl's
> > >
> > > 1) They work essentially the same way as they do when configured
> > > on
> router
> > > interfaces
> > >
> > > 2) They can applied to any type of 3550 port (L2 phy access, L3
> > > routed interface, trunk, phy port that's part of etherchannel, or
> > > SVI ) the
> same
> > > way they would be applied to an interface on a router ie they do
> > > NOT
> have
> > to
> > > be applied via the creation of the MQC ( class, policy, service)
> although
> > > doing it that way is OK also.
> > >
> > > 3) The ONE exception is that if the acl is to be applied to a L2
> access
> > > port, it must be ONLY in the inbound direction.
> > >
> > > One last question while we're on the topic of acl's:
> > >
> > > Re: SVI's: Since an SVI is a logical interface, what meaning does
> > > the direction (In or OUT) have as applied to a SVI? For example,
> > > suppose
> > this
> > > is my config. And, ports fa0/1 - 3 are in vlan 30.
> > >
> > > access-list 3 permit 36.0.0.0
> > >
> > > int vlan 30
> > > ip addr x.x.x.x
> > > ip access-group 3 in
> > >
> > > Will traffic coming *in* from ports fa0/1 - 3 that isn't
> > > permitted by
> acl
> > 3
> > > be denied and not passed to other routed interfaces on the 3550 or
will
> > > traffic going in the other direction, coming in through routed
> interfaces
> > > and heading to svi 30 be denied? Or, does this question not make
sense?
> > >
> > >
> > >
> > > Thanks again, Tim
> > >
> > > ----- Original Message -----
> > > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> <ccielab@groupstudy.com>
> > > Sent: Monday, April 26, 2004 12:04 PM
> > > Subject: Re: Correction: 3550 - ip acl's on trunks
> > >
> > >
> > > > The docs seem to use the term "etherchannel interface" to refer
> > > > to
> > either
> > > a
> > > > L2 or L3 Interface Port-Channel.
> > > >
> > > > Also from what I can gather, a "port acl" is an access-list
> > > > applied
> to
> > a
> > > > layer 2 port, whereas a "router-acl" is applied to a layer 3
> > > > port
> > (routed,
> > > > L3 Po, or Int VLAN). However there are some other differences,
e.g.,
> > > port
> > > > acls can only be applied inbound.
> > > >
> > > > I have tested your config re acl on trunk, and it does seem to
> > > > work
as
> > > > advertised.
> > > >
> > > > I take along a Cat3550 "virtually" everywhere I go, so let me
> > > > know
if
> i
> > > can
> > > > test something for you.
> > > >
> > > > HTH,
> > > >
> > > > Bob Sinclair
> > > > CCIE #10427, CISSP, MCSE
> > > > www.netmasterclass.net
> > > >
> > > > ----- Original Message -----
> > > > From: "ccie2be" <ccie2be@nyc.rr.com>
> > > > To: "Group Study" <ccielab@groupstudy.com>; "Bob Sinclair"
> > > > <bsinclair@netmasterclass.net>
> > > > Sent: Monday, April 26, 2004 11:52 AM
> > > > Subject: Re: Correction: 3550 - ip acl's on trunks
> > > >
> > > >
> > > > > Hi Bob,
> > > > >
> > > > > Thanks for getting back to me. I appreciate it. Yes, I agree
> > > > > the documentation is sometimes a bit confusing - at least for
> > > > > me.
And,
> > > > > unfortunately, since I don't have ready access to a couple of
> 3550's,
> > I
> > > > > can't easily or quickly experiment on the switches to test out
> > > > > my
> > > > questions.
> > > > >
> > > > > Just to make sure I understand what you're saying, can I
> > > > > restate
> this
> > as
> > > > > follows?
> > > > >
> > > > > A "PO" refers to just a regular L2 port?
> > > > >
> > > > > The only distinction you're making in your 1st post when you
> > > > > say
> "port
> > > > acl"
> > > > > vs "router acl" is the type of port, L2 vs L3?
> > > > >
> > > > > And, as far as acl's applied to trunk ports, you're saying it
> > > > > will
> > work
> > > > just
> > > > > as if the port were a regular L2 or L3 port.
> > > > >
> > > > > For example, is this config OK?
> > > > >
> > > > > access-list 1 deny 10.0.0.0
> > > > > access-list 1 permit ip any any
> > > > >
> > > > > int fa0/4
> > > > > switchport mode trunk
> > > > > access-group 1 in
> > > > >
> > > > > So, as a result, all traffic from 10.0.0.0 will be denied
regardless
> > of
> > > > what
> > > > > vlan the pkt rides in?
> > > > >
> > > > > Or, do I need to use the MQC structure and the Per_Port
> > > > > Per-Vlan
> > > construct
> > > > > show in the manual on page 27 34?
> > > > >
> > > > > Or, am I way out in left field and don't have a clue?
> > > > >
> > > > > Thanks, Tim
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > > > > To: "Tim Last" <packtmon@yahoo.com>; "Group Study"
> > > > <ccielab@groupstudy.com>
> > > > > Sent: Monday, April 26, 2004 10:58 AM
> > > > > Subject: Correction: 3550 - ip acl's on trunks
> > > > >
> > > > >
> > > > > > Tim,
> > > > > >
> > > > > > After more further reflection, it looks like applying port
> > > > > > acls
to
> > > > > physical
> > > > > > ports in an etherchannel is supported. What is not
> > > > > > supported is
> > > > applying
> > > > > an
> > > > > > access-list to a L2 PortChannel Interface. When the docs
> > > > > > refer
to
> > an
> > > > > > "Etherchannel interface", they appear to mean the
> > > > > > PortChannel
> > > Interface
> > > > > (L2
> > > > > > or L3), not the physical ports in the channel.
> > > > > >
> > > > > >
> > > > > > Bob Sinclair
> > > > > > CCIE #10427, CISSP, MCSE
> > > > > > www.netmasterclass.net
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Bob Sinclair" <bsinclair@netmasterclass.net>
> > > > > > To: "Tim Last" <packtmon@yahoo.com>; "Group Study"
> > > > > <ccielab@groupstudy.com>
> > > > > > Sent: Monday, April 26, 2004 10:43 AM
> > > > > > Subject: Re: 3550 - ip acl's on trunks
> > > > > >
> > > > > >
> > > > > > > Tim,
> > > > > > >
> > > > > > > The documentation says port acls are not permitted on (L2)
> > > > etherchannel
> > > > > > > interfaces. Router acls are allowed on PO interfaces. I
> would
> > > take
> > > > > > this
> > > > > > > as sound advice, though I have found that port acls
> > > > > > > applied to
> L2
> > > > > > > etherchannel interfaces are effective.
> > > > > > >
> > > > > > > Docs say that port acls applied to trunk ports will filter
> > > > > > > all
> > vlans
> > > > on
> > > > > > the
> > > > > > > trunk, which appears to work in practice.
> > > > > > >
> > > > > > > HTH,
> > > > > > >
> > > > > > > Bob Sinclair
> > > > > > > CCIE #10427, CISSP, MCSE
> > > > > > > www.netmasterclass.net
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Tim Last" <packtmon@yahoo.com>
> > > > > > > To: "Group Study" <ccielab@groupstudy.com>
> > > > > > > Sent: Monday, April 26, 2004 10:13 AM
> > > > > > > Subject: 3550 - ip acl's on trunks
> > > > > > >
> > > > > > >
> > > > > > > > Hi guys,
> > > > > > > >
> > > > > > > > I know that standard and extended ip acl's work without
> > > > > > > > any
> > > > additional
> > > > > > > configuration statements on regular Cat 3550 L2 access
> > > > > > > ports
> > > (assuming
> > > > > the
> > > > > > > acl isn't being used for QoS purposes).
> > > > > > > >
> > > > > > > > Is this also true if the port is a trunk or if ports
> > > > > > > > have
been
> > > > grouped
> > > > > > > into an etherchannel?
> > > > > > > >
> > > > > > > > Also, can ip acl's be applied to SVI's?
> > > > > > > >
> > > > > > > > Thanks in advanced, Tim
> > > > > > > >
> > > > > > > >
> > > > > > > > ---------------------------------
> > > > > > > > Do you Yahoo!?
> > > > > > > > Yahoo! Photos: High-quality 4x6 digital prints for 25"
> > > > > > > >
> > > > > > > >
> > > > >
> > ____________________________________________________________________
> > ___
> > > > > > > > Please help support GroupStudy by purchasing your study
> > materials
> > > > > from:
> > > > > > > > http://shop.groupstudy.com
> > > > > > > >
> > > > > > > > Subscription information may be found at:
> > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > >
> > > >
> ______________________________________________________________________
> _
> > > > > > > Please help support GroupStudy by purchasing your study
> materials
> > > > from:
> > > > > > > http://shop.groupstudy.com
> > > > > > >
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > >
> > > > > >
> > >
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:56 GMT-3