Re: Layer3 ACL on L2 Access port...Right or wrong ? from ALL From_NJ on 2009-07-23 (Ccielab archives 07/2009)

From: ALL From_NJ <all.from.nj_at_gmail.com>
Date: Thu, 23 Jul 2009 00:08:42 -0400

Hello team,

Mohamed, did the lab allow you to use other methods to keep from learning
routes from this one particular router? An ACL seems to be a bit over kill
IMO ... (thinking out loud) I suppose you could block the mcast address from
that router ... and or run unicast routing updates.

With an ACL, I would worry that you may block other wanted traffic.

If you can use other methods, then which routing protocol is running across
the 3 routers? This will help us to determine which commands we should use
to ignore or offset the 'unwanted' router.

HTH,

Andrew Lee Lissitz

On Wed, Jul 22, 2009 at 5:23 PM, <Keegan.Holley_at_sungard.com> wrote:

> I tried this in my lab ready to say it didn't work... but then it did. I
> basically have two routers and two switches. One router plugged into each
> switch with a trunk between them. You can only configure the access-list
> inbound but it did work. Hopefully someone will pop-up and explain why.
>
>
>
>
>
>
>
> Layer3 ACL on L2 Access port...Right or wrong ?
>
> Mohamed El Henawy
> to:
> Cisco certification
> 07/22/09 05:06 PM
>
>
> Sent by:
> nobody_at_groupstudy.com
> Please respond to "Mohamed El Henawy"
>
>
>
>
>
>
> Hello Group,
>
> i came across this question while doing the IE LAB9
>
> 2 Routers , 1 BB on the same LAN segment , we dont want to get updates
> from
> BB and the port on switch connected to BB has only one vlan
>
>
> question is....can we put ACL under the interface instead of using vlan
> filter
> ( vlan filter is IE answer )? is it still correct to use L3 ACL on L2 port
>
> I think VLAN filter wouldn't work if we have other access port on this
> switch
> under same VLAN and might need to be in the RIP too ?
>
> Rack2SW2#sh access-lists
> Extended IP access list 199
> 10 deny udp any any eq rip
> 20 permit ip any any (39 matches)
>
>
> interface FastEthernet0/24
> switchport access vlan 232
> ip access-group 199 in
> spanning-tree guard root
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net

Received on Thu Jul 23 2009 - 00:08:42 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART