From: Darby Weaver (darbyweaver@yahoo.com)
Date: Fri Apr 27 2007 - 04:39:53 ART
Hmmm...
What does your show access-list output look like?
Is the access-list being interpretted by the router in
the order you are presenting it as listed below?
However, I usually interpret a standard ACL as a
numbered ACL like 1-99 for instance. Not necessarily
a named ACL which is standard.
I have heard a rumor that in the lab numbered lists
may be preferred over named access lists unless there
is no other way.
Of course, that may be a question for the proctor.
The reason being that some named ACLS may not work
properly with certain scripts used for grading.
Again a "rumor".
==================
Of course if you were to have created an ACL (the one
being matched) and then later edited it.
You may still be using the old one?
PER:
When you delete an access-list that is currently being
applied to an interface, all traffic that is to be
filtered through the specified access list will be
allowed until the access list is reinstated or a new
access-list is specified in the access-group command.
=========================================
Now if it were me, I do something like this:
access-list permit 23 permit host 150.1.3.3
line vty 0 4
transport input ssh telnet
transport output ssh telnet
In fact on my rack this works great. It's 3:30am in
the morning.
I think the problem is a matter of interpretation
(Definition of a standard ACL) and btw I think you'll
find you'll encounter similar problems on your SNMP
"standard" ACLs too.
=======================================
Little crazy troubleshooting tonight...
I actually had to fight a broadcast storm and it
caused a major uproar from route generator that I just
turned up - can you sat a demonstrated need for
storm-control.
It wiped out my eigrp and I could not even ping. Talk
about "broken arrow". My two routers were definately
overwhelmed.
My sh int were off the chart. And one of the two
routers was getting clobbered with EIGRP errors from
the neigh.
I had to debug ip packet to see what was going on.
CDP was not working, ICMP was not working, etc.
Funny since the 3550 could see the routers with CDP
but not the reverse. Of course the 3550 was not
overwhelmed.
Much less telnet or even my control plane traffic.
I created a monster with that new box.
--- deji500@hotmail.com wrote:
> Hi GS,
> I can not seem to use a restrictive access-list to
> restrict access to a router's vty lines. I want to
> be able to restrict access to only one interface on
> the router from selected interfaces on selected
> routers using either ssh OR TELNET. For example, I
> want to allow access on to R1's loopback interface
> from R3 and R6 but not any interface on R2,R4 or R5.
>
> Example using the loopback of just R3
> ip access-list extended TELNET
> permit ip host 150.1.3.3 host 150.1.1.1 log (does
> not match)
> permit tcp host 150.1.3.3 host 150.1.1.1 eq telnet
> log (does not match)
> permit tcp host 150.1.3.3 any log (this is
> matched)
>
> Is it the IOS on my routers (12.3)? oR the
> access-class command on the vty lines does not like
> restrictive ACLs? DocCD uses just a standard ACL or
> its not just possible.
>
> Thanks for your help
>
>
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:38 ART