From: sabrina pittarel (sabri_esame@yahoo.com)
Date: Sun Sep 17 2006 - 14:01:07 ART
What you said below is all correct... About your question. Aways from the
DocCD
Unsupported Features The Catalyst 3550 switch does not support these
Cisco IOS router ACL-related features:
b"Non-IP protocol ACLs (see Table 29-1).
b"Bridge-group ACLs.
b"IP accounting.
b"Inbound and outbound rate limiting (except with QoS ACLs).
b"IP packets with a header length of less than five are not access
controlled (results in an ICMP parameter error).
b"Reflexive ACLs.
b"Dynamic ACLs (except for certain specialized dynamic ACLs used by the
switch clustering feature).
b"For Layer 2 port ACLs, the switch does not support logging or outbound
ACLs.
Sabrina
----- Original Message ----
From: 2nd CCIE <doubleccie@yahoo.com>
To: sabrina pittarel <sabri_esame@yahoo.com>; Subhash P
<subhashccie@gmail.com>; George Carr <gcarr@speakeasy.net>
Cc: 2nd CCIE <doubleccie@yahoo.com>; security@groupstudy.com;
ccielab@groupstudy.com
Sent: Sunday, September 17, 2006 5:03:16 AM
Subject: Re: 3550 ACL's ..
here is my observation .
first the IP ACL can be applied on the L2 interfaces according ot the Docs
, however it will apply only on the inbound direction ( to the switch ) which
means it can filter the outbound traffic of certain host ..not the inbound
traffic which is the case i wanted to achieve , in your scenario it will work
because you applied the ACL on the direction to filter the echo-replies from
the host ...this is ok
second observation is that if the IP ACL is applied on the logical interface
(interface vlan ) will take effect only if the traffic is passing L3 boundary
on the switch..not traffic bridged on the same vlan .
to achieve filtering on the outbound direction ( filtering traffic going To
a host ) is combination between L3 ACL and vlan access-map ...i have tested
this and it works as per expection .....but here what i want to achieve
i have this scenario .....R3---------------SW------------host ...they are
all on same Vlan .
R3 is connected to the outside world ..I want to configure a lock and key
ACL where ICMP traffic should be forwarded to the host after a user get
authenticated on the switch
now if i configured L3 ACL on the l2 port of the host ...the dynamic entry
of the ACL will not be triggered when i telnet to the switch .
if i applied the L3 ACL on the switch vlan interface ...the traffic will
keep passing to the host because it comes from R3 (same vlan ) either applying
it or not does not matter .
my question ..is this actually possible or not ...if yes ..how ?
sabrina pittarel <sabri_esame@yahoo.com> wrote:
Sorry to chip in,
but what you are stating here is incorrect.
Have you tried it out?
On the 3550 a regular IP ACL, standard and extended, can be applied in
*ingress direction only* to a switchport.
This is from the DocCD:
Port ACLs You can also apply ACLs to Layer 2 interfaces on a switch.
Port ACLs are supported on physical interfaces only and not on EtherChannel
interfaces. Port ACLs are applied on interfaces for inbound traffic only.
These access lists are supported on Layer 2 interfaces:
b"Standard IP access lists using source addresses
b"Extended IP access lists using source and destination addresses and
optional protocol type information
b"MAC extended access lists using source and destination MAC addresses
and optional protocol type information
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swacl
.htm#wp1135301
2nd CCIE,
about you problem, not sure what's wrong but what I can say to you is that it
works.
My Topology
139.1.0.0/24
.3 .6
R3 ------ SW (vlan367) -------- R6
0/3 0/6
f0/6 has an ACL applied to drop ICMP echo-replies from R6 toward R3.
R3:
With the ACL configured on SW:
-------------------------------
R3#ping 139.1.0.6 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 139.1.0.6, timeout is 2 seconds:
............................
Success rate is 0 percent (0/28)
R3#ping 139.1.0.6 repeat 1000
Without the ACL configured on SW:
-------------------------------------
R3#ping 139.1.0.6 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 139.1.0.6, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (959/959), round-trip min/avg/max = 1/2/4 ms
SW:
SW1#sh run int f0/3
Building configuration...
Current configuration : 96 bytes
!
interface FastEthernet0/3
switchport access vlan 367
switchport mode dynamic desirable
end
SW1#sh run int f0/6
Building configuration...
Current configuration : 120 bytes
!
interface FastEthernet0/6
switchport access vlan 367
switchport mode dynamic desirable
ip access-group 100 in
end
SW1#sh access
SW1#sh access-list 100
Extended IP access list 100
10 deny icmp host 139.1.0.6 host 139.1.0.3 echo-reply
20 permit ip any any
SW1#
Sabrina
----- Original Message ----
From: Subhash P
To: George Carr
Cc: 2nd CCIE ; security@groupstudy.com;
ccielab@groupstudy.com
Sent: Saturday, September 16, 2006 7:24:53 PM
Subject: Re: 3550 ACL's ..
You are perfect.
Subhash.
On 9/17/06, George Carr wrote:
>
> It appears to me that the primary problem is that you are trying to filter
> on L3 at an interface that only has a L2 function in the conversation.
> ip ACL's will work on routed interfaces because they are L3 interfaces
> much
> like those in any router. For a 3550 to be routed (L3) interface its
> interface
> configuration must begin with the line 'no swichport' yours begins with
> 'switchport access vlan 16'.
>
> As for using the VLAN SVI for filtering, here again for the most part a
> VLAN
> is an L2 animal. the SVI's are like the router interfaces that lead to and
> from
> the L2 segment that is defined by the ports assigned to be in that VLAN.
> The only way I can think of an that a VLAN SVI would be useful for
> applying
> ip ACL's to
> would be if:
> - the devices in the VLAN it represents were configured to use its IP
> address as a default gateway
> - and the devices you were trying to filter were in a diferent VLAN or a
> subnet accessible through some other routing device connected to the
> switch.
> - and you were running some L3 routing protocol on the 3550
>
> In other words
> - if the devices you are trying to filter are also in VLAN 16 then the
> switch is only a L2 participant in the conversation.
> - if the devices are on a different subnet / VLAN and / or device and the
> default gateway on the servers is not the ip of the VLAN 16 SVI then
> again the 3550 is only providing a L2 path to whatever device is
> configured to be the dg for the server and does not even look at the L3
> information in the packet.
>
> Call me crazy but you can't filter a L2 conversation with an ip access
> list,
> ip is L3.
>
> - GLC
>
>
> ----- Original Message -----
> From: "2nd CCIE"
> To:
> Cc: ;
> Sent: Saturday, September 16, 2006 2:14 PM
> Subject: Re: 3550 ACL's ..
>
>
> > Ok ..I have tried to apply the ACL on the interface vlan in both
> > directions ..i still able to ping the server .
> >
> > what am i missing ?
> >
> >
> >
> > Joe Palomo wrote:
> > If you apply the ACL to the VLAN interface then you need to apply the
> > ACL for egress (out) traffic to the server. Ingress (in) would deny icmp
> > from server segment outbound. HTH.
> >
> > ccie16430 (Security)
> >
> > 2nd CCIE wrote:
> >
> >>Folks ;
> >> i have a trouble trying to do simple configuration on the 3550 .
> >> i have server connected to 3550 on port f0/11 .
> >>
> >> all i want to do is to deny the icmp to this server and allow
> everything
> >> else .
> >> although it looks something easy ..it does not work with me
> >>
> >> here is my configuration
> >>
> >> !
> >>interface FastEthernet0/11
> >> switchport access vlan 16
> >> switchport mode dynamic desirable
> >> ip access-group 101 in
> >>!
> >> !
> >>access-list 101 deny icmp any host 10.10.16.100
> >>access-list 101 permit ip any any
> >>!
> >>
> >> with this configuration ..i still can ping the server from anywhere
> ...i
> >> tried to apply the ACL on the interface vlan 16 ..nothing changed .
> >>
> >> if i remove the second entry of the ACL (basically deny everything )
> ..it
> >> works
> >>
> >> but i need to the communication to the server ..only the ping i want to
> >> disable ...
> >>
> >> what am i missing here ?
> >>
> >>
> >> thanks
> >>
> >>
> >>
> >>---------------------------------
> >>How low will we go? Check out Yahoo! Messengers low PC-to-Phone call
> >>rates.
> >>
> >>
> >>
> >>
> >
> >
> >
> > ---------------------------------
> > Get your email and more, right on the new Yahoo.com
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART