Re: 3550 ACL's ..

From: George Carr (gcarr@speakeasy.net)
Date: Sat Sep 16 2006 - 23:11:06 ART

It appears to me that the primary problem is that you are trying to filter
on L3 at an interface that only has a L2 function in the conversation.
ip ACL's will work on routed interfaces because they are L3 interfaces much
like those in any router. For a 3550 to be routed (L3) interface its
interface
configuration must begin with the line 'no swichport' yours begins with
'switchport access vlan 16'.

As for using the VLAN SVI for filtering, here again for the most part a VLAN
is an L2 animal. the SVI's are like the router interfaces that lead to and
from
the L2 segment that is defined by the ports assigned to be in that VLAN.
The only way I can think of an that a VLAN SVI would be useful for applying
ip ACL's to
would be if:
- the devices in the VLAN it represents were configured to use its IP
address as a default gateway
- and the devices you were trying to filter were in a diferent VLAN or a
subnet accessible through some other routing device connected to the switch.
- and you were running some L3 routing protocol on the 3550

In other words
 - if the devices you are trying to filter are also in VLAN 16 then the
switch is only a L2 participant in the conversation.
- if the devices are on a different subnet / VLAN and / or device and the
default gateway on the servers is not the ip of the VLAN 16 SVI then
   again the 3550 is only providing a L2 path to whatever device is
configured to be the dg for the server and does not even look at the L3
information in the packet.

Call me crazy but you can't filter a L2 conversation with an ip access list,
ip is L3.

- GLC

----- Original Message -----
From: "2nd CCIE" <doubleccie@yahoo.com>
To: <palomoj@sbcglobal.net>
Cc: <security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Saturday, September 16, 2006 2:14 PM
Subject: Re: 3550 ACL's ..

> Ok ..I have tried to apply the ACL on the interface vlan in both
> directions ..i still able to ping the server .
>
> what am i missing ?
>
>
>
> Joe Palomo <palomoj@sbcglobal.net> wrote:
> If you apply the ACL to the VLAN interface then you need to apply the
> ACL for egress (out) traffic to the server. Ingress (in) would deny icmp
> from server segment outbound. HTH.
>
> ccie16430 (Security)
>
> 2nd CCIE wrote:
>
>>Folks ;
>> i have a trouble trying to do simple configuration on the 3550 .
>> i have server connected to 3550 on port f0/11 .
>>
>> all i want to do is to deny the icmp to this server and allow everything
>> else .
>> although it looks something easy ..it does not work with me
>>
>> here is my configuration
>>
>> !
>>interface FastEthernet0/11
>> switchport access vlan 16
>> switchport mode dynamic desirable
>> ip access-group 101 in
>>!
>> !
>>access-list 101 deny icmp any host 10.10.16.100
>>access-list 101 permit ip any any
>>!
>>
>> with this configuration ..i still can ping the server from anywhere ...i
>> tried to apply the ACL on the interface vlan 16 ..nothing changed .
>>
>> if i remove the second entry of the ACL (basically deny everything ) ..it
>> works
>>
>> but i need to the communication to the server ..only the ping i want to
>> disable ...
>>
>> what am i missing here ?
>>
>>
>> thanks
>>
>>
>>
>>---------------------------------
>>How low will we go? Check out Yahoo! Messengers low PC-to-Phone call
>>rates.
>>
>>
>>
>>
>
>
>
> ---------------------------------
> Get your email and more, right on the new Yahoo.com

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART