RE: 3550 ACL's ..

From: Sam Lai (LaiS@transnet.com)
Date: Sat Sep 16 2006 - 23:07:08 ART

• Next message: George Carr: "Re: 3550 ACL's .."
• Previous message: Scott Morris: "RE: IPv6 Global ID - is this right?"
• Maybe in reply to: 2nd CCIE: "3550 ACL's .."
• Next in thread: George Carr: "Re: 3550 ACL's .."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You should have done the acl 101 as follows:
 
access-list 101 deny icmp host 10.10.16.100 any
access-list 101 permit ip any any
 
The reason is that the acl 101 is applied on the interface level inbound (direction toward the switch from the host), so it works when traffic send to the interface from the host. That explains why it stopped all traffic when you removed the 2nd entry (implicitly deny any).
 
Hope it helps.
 
Sam
 
 
Sam Lai, CCIE CISSP
TransNet Corporation
Mobile 908.413.5466
Email LaiS@TransNet.com <mailto:LaiS@TransNet.com>

________________________________

From: nobody@groupstudy.com on behalf of 2nd CCIE
Sent: Sat 9/16/2006 3:14 PM
To: palomoj@sbcglobal.net
Cc: security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: 3550 ACL's ..

Ok ..I have tried to apply the ACL on the interface vlan in both directions ..i still able to ping the server .
  
  what am i missing ?
  
 

Joe Palomo <palomoj@sbcglobal.net> wrote:
  If you apply the ACL to the VLAN interface then you need to apply the
ACL for egress (out) traffic to the server. Ingress (in) would deny icmp
from server segment outbound. HTH.

ccie16430 (Security)

2nd CCIE wrote:

>Folks ;
> i have a trouble trying to do simple configuration on the 3550 .
> i have server connected to 3550 on port f0/11 .
>
> all i want to do is to deny the icmp to this server and allow everything else .
> although it looks something easy ..it does not work with me
>
> here is my configuration
>
> !
>interface FastEthernet0/11
> switchport access vlan 16
> switchport mode dynamic desirable
> ip access-group 101 in
>!
> !
>access-list 101 deny icmp any host 10.10.16.100
>access-list 101 permit ip any any
>!
>
> with this configuration ..i still can ping the server from anywhere ...i tried to apply the ACL on the interface vlan 16 ..nothing changed .
>
> if i remove the second entry of the ACL (basically deny everything ) ..it works
>
> but i need to the communication to the server ..only the ping i want to disable ...
>
> what am i missing here ?
>
>
> thanks
>
>
>
>---------------------------------
>How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates.
>
>
>
>

               
---------------------------------
Get your email and more, right on the new Yahoo.com

• Next message: George Carr: "Re: 3550 ACL's .."
• Previous message: Scott Morris: "RE: IPv6 Global ID - is this right?"
• Maybe in reply to: 2nd CCIE: "3550 ACL's .."
• Next in thread: George Carr: "Re: 3550 ACL's .."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART