Re: 3550 ACL's ..

From: sabrina pittarel (sabri_esame@yahoo.com)
Date: Sun Sep 17 2006 - 01:24:41 ART

Sorry to chip in,
 but what you are stating here is incorrect.
 Have you tried it out?

 On the 3550 a regular IP ACL, standard and extended, can be applied in
*ingress direction only* to a switchport.

 This is from the DocCD:

  Port ACLs You can also apply ACLs to Layer 2 interfaces on a switch.
Port ACLs are supported on physical interfaces only and not on EtherChannel
interfaces. Port ACLs are applied on interfaces for inbound traffic only.
These access lists are supported on Layer 2 interfaces:
    b"Standard IP access lists using source addresses
    b"Extended IP access lists using source and destination addresses and
optional protocol type information
    b"MAC extended access lists using source and destination MAC addresses
and optional protocol type information

 http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swacl
.htm#wp1135301

 2nd CCIE,

 about you problem, not sure what's wrong but what I can say to you is that it
works.

 My Topology

           139.1.0.0/24
    .3 .6
 R3 ------ SW (vlan367) -------- R6
       0/3 0/6

 f0/6 has an ACL applied to drop ICMP echo-replies from R6 toward R3.

 R3:
 With the ACL configured on SW:
 -------------------------------

 R3#ping 139.1.0.6 repeat 1000

 Type escape sequence to abort.
 Sending 1000, 100-byte ICMP Echos to 139.1.0.6, timeout is 2 seconds:
 ............................
 Success rate is 0 percent (0/28)
 R3#ping 139.1.0.6 repeat 1000

 Without the ACL configured on SW:
 -------------------------------------

 R3#ping 139.1.0.6 repeat 1000

 Type escape sequence to abort.
 Sending 1000, 100-byte ICMP Echos to 139.1.0.6, timeout is 2 seconds:
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 Success rate is 100 percent (959/959), round-trip min/avg/max = 1/2/4 ms

 SW:
 SW1#sh run int f0/3
 Building configuration...

 Current configuration : 96 bytes
 !
 interface FastEthernet0/3
  switchport access vlan 367
  switchport mode dynamic desirable
 end

 SW1#sh run int f0/6
 Building configuration...

 Current configuration : 120 bytes
 !
 interface FastEthernet0/6
  switchport access vlan 367
  switchport mode dynamic desirable
  ip access-group 100 in
 end

 SW1#sh access
 SW1#sh access-list 100
 Extended IP access list 100
     10 deny icmp host 139.1.0.6 host 139.1.0.3 echo-reply
     20 permit ip any any
 SW1#

 Sabrina

----- Original Message ----
From: Subhash P <subhashccie@gmail.com>
To: George Carr <gcarr@speakeasy.net>
Cc: 2nd CCIE <doubleccie@yahoo.com>; security@groupstudy.com;
ccielab@groupstudy.com
Sent: Saturday, September 16, 2006 7:24:53 PM
Subject: Re: 3550 ACL's ..

You are perfect.

Subhash.

On 9/17/06, George Carr <gcarr@speakeasy.net> wrote:
>
> It appears to me that the primary problem is that you are trying to filter
> on L3 at an interface that only has a L2 function in the conversation.
> ip ACL's will work on routed interfaces because they are L3 interfaces
> much
> like those in any router. For a 3550 to be routed (L3) interface its
> interface
> configuration must begin with the line 'no swichport' yours begins with
> 'switchport access vlan 16'.
>
> As for using the VLAN SVI for filtering, here again for the most part a
> VLAN
> is an L2 animal. the SVI's are like the router interfaces that lead to and
> from
> the L2 segment that is defined by the ports assigned to be in that VLAN.
> The only way I can think of an that a VLAN SVI would be useful for
> applying
> ip ACL's to
> would be if:
> - the devices in the VLAN it represents were configured to use its IP
> address as a default gateway
> - and the devices you were trying to filter were in a diferent VLAN or a
> subnet accessible through some other routing device connected to the
> switch.
> - and you were running some L3 routing protocol on the 3550
>
> In other words
> - if the devices you are trying to filter are also in VLAN 16 then the
> switch is only a L2 participant in the conversation.
> - if the devices are on a different subnet / VLAN and / or device and the
> default gateway on the servers is not the ip of the VLAN 16 SVI then
> again the 3550 is only providing a L2 path to whatever device is
> configured to be the dg for the server and does not even look at the L3
> information in the packet.
>
> Call me crazy but you can't filter a L2 conversation with an ip access
> list,
> ip is L3.
>
> - GLC
>
>
> ----- Original Message -----
> From: "2nd CCIE" <doubleccie@yahoo.com>
> To: <palomoj@sbcglobal.net>
> Cc: <security@groupstudy.com>; <ccielab@groupstudy.com>
> Sent: Saturday, September 16, 2006 2:14 PM
> Subject: Re: 3550 ACL's ..
>
>
> > Ok ..I have tried to apply the ACL on the interface vlan in both
> > directions ..i still able to ping the server .
> >
> > what am i missing ?
> >
> >
> >
> > Joe Palomo <palomoj@sbcglobal.net> wrote:
> > If you apply the ACL to the VLAN interface then you need to apply the
> > ACL for egress (out) traffic to the server. Ingress (in) would deny icmp
> > from server segment outbound. HTH.
> >
> > ccie16430 (Security)
> >
> > 2nd CCIE wrote:
> >
> >>Folks ;
> >> i have a trouble trying to do simple configuration on the 3550 .
> >> i have server connected to 3550 on port f0/11 .
> >>
> >> all i want to do is to deny the icmp to this server and allow
> everything
> >> else .
> >> although it looks something easy ..it does not work with me
> >>
> >> here is my configuration
> >>
> >> !
> >>interface FastEthernet0/11
> >> switchport access vlan 16
> >> switchport mode dynamic desirable
> >> ip access-group 101 in
> >>!
> >> !
> >>access-list 101 deny icmp any host 10.10.16.100
> >>access-list 101 permit ip any any
> >>!
> >>
> >> with this configuration ..i still can ping the server from anywhere
> ...i
> >> tried to apply the ACL on the interface vlan 16 ..nothing changed .
> >>
> >> if i remove the second entry of the ACL (basically deny everything )
> ..it
> >> works
> >>
> >> but i need to the communication to the server ..only the ping i want to
> >> disable ...
> >>
> >> what am i missing here ?
> >>
> >>
> >> thanks
> >>
> >>
> >>
> >>---------------------------------
> >>How low will we go? Check out Yahoo! Messengers low PC-to-Phone call
> >>rates.
> >>
> >>
> >>
> >>
> >
> >
> >
> > ---------------------------------
> > Get your email and more, right on the new Yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART