Re: 3550 ACL's ..
From: Subhash P (subhashccie@gmail.com)
Date: Sat Sep 16 2006 - 23:24:53 ART
You are perfect.
Subhash.
On 9/17/06, George Carr <gcarr@speakeasy.net> wrote:
>
> It appears to me that the primary problem is that you are trying to filter
> on L3 at an interface that only has a L2 function in the conversation.
> ip ACL's will work on routed interfaces because they are L3 interfaces
> much
> like those in any router. For a 3550 to be routed (L3) interface its
> interface
> configuration must begin with the line 'no swichport' yours begins with
> 'switchport access vlan 16'.
>
> As for using the VLAN SVI for filtering, here again for the most part a
> VLAN
> is an L2 animal. the SVI's are like the router interfaces that lead to and
> from
> the L2 segment that is defined by the ports assigned to be in that VLAN.
> The only way I can think of an that a VLAN SVI would be useful for
> applying
> ip ACL's to
> would be if:
> - the devices in the VLAN it represents were configured to use its IP
> address as a default gateway
> - and the devices you were trying to filter were in a diferent VLAN or a
> subnet accessible through some other routing device connected to the
> switch.
> - and you were running some L3 routing protocol on the 3550
>
> In other words
> - if the devices you are trying to filter are also in VLAN 16 then the
> switch is only a L2 participant in the conversation.
> - if the devices are on a different subnet / VLAN and / or device and the
> default gateway on the servers is not the ip of the VLAN 16 SVI then
> again the 3550 is only providing a L2 path to whatever device is
> configured to be the dg for the server and does not even look at the L3
> information in the packet.
>
> Call me crazy but you can't filter a L2 conversation with an ip access
> list,
> ip is L3.
>
> - GLC
>
>
> ----- Original Message -----
> From: "2nd CCIE" <doubleccie@yahoo.com>
> To: <palomoj@sbcglobal.net>
> Cc: <security@groupstudy.com>; <ccielab@groupstudy.com>
> Sent: Saturday, September 16, 2006 2:14 PM
> Subject: Re: 3550 ACL's ..
>
>
> > Ok ..I have tried to apply the ACL on the interface vlan in both
> > directions ..i still able to ping the server .
> >
> > what am i missing ?
> >
> >
> >
> > Joe Palomo <palomoj@sbcglobal.net> wrote:
> > If you apply the ACL to the VLAN interface then you need to apply the
> > ACL for egress (out) traffic to the server. Ingress (in) would deny icmp
> > from server segment outbound. HTH.
> >
> > ccie16430 (Security)
> >
> > 2nd CCIE wrote:
> >
> >>Folks ;
> >> i have a trouble trying to do simple configuration on the 3550 .
> >> i have server connected to 3550 on port f0/11 .
> >>
> >> all i want to do is to deny the icmp to this server and allow
> everything
> >> else .
> >> although it looks something easy ..it does not work with me
> >>
> >> here is my configuration
> >>
> >> !
> >>interface FastEthernet0/11
> >> switchport access vlan 16
> >> switchport mode dynamic desirable
> >> ip access-group 101 in
> >>!
> >> !
> >>access-list 101 deny icmp any host 10.10.16.100
> >>access-list 101 permit ip any any
> >>!
> >>
> >> with this configuration ..i still can ping the server from anywhere
> ...i
> >> tried to apply the ACL on the interface vlan 16 ..nothing changed .
> >>
> >> if i remove the second entry of the ACL (basically deny everything )
> ..it
> >> works
> >>
> >> but i need to the communication to the server ..only the ping i want to
> >> disable ...
> >>
> >> what am i missing here ?
> >>
> >>
> >> thanks
> >>
> >>
> >>
> >>---------------------------------
> >>How low will we go? Check out Yahoo! Messenger�s low PC-to-Phone call
> >>rates.
> >>
> >>
> >>
> >>
> >
> >
> >
> > ---------------------------------
> > Get your email and more, right on the new Yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Sun Oct 01 2006 - 16:55:40 ART