Re: Layer3 ACL on L2 Access port...Right or wrong ?

Hello Andrew ,

LAB Requested to stop the updates coming from BB router without putting any
configuration on the 2 routers in the segment so we can only use the switch
connected to the BB router
I didn't think putting ACL will work but it worked !

BB2 R2 R3
|----------|------| Same Ethernet segment

  ----- Original Message -----
  From: ALL From_NJ
  To: Keegan.Holley_at_sungard.com
  Cc: Mohamed El Henawy ; Cisco certification ; nobody_at_groupstudy.com
  Sent: Thursday, July 23, 2009 7:08 AM
  Subject: Re: Layer3 ACL on L2 Access port...Right or wrong ?

  Hello team,

  Mohamed, did the lab allow you to use other methods to keep from learning
routes from this one particular router? An ACL seems to be a bit over kill
IMO ... (thinking out loud) I suppose you could block the mcast address from
that router ... and or run unicast routing updates.

  With an ACL, I would worry that you may block other wanted traffic.

  If you can use other methods, then which routing protocol is running across
the 3 routers? This will help us to determine which commands we should use to
ignore or offset the 'unwanted' router.

  HTH,

  Andrew Lee Lissitz

  On Wed, Jul 22, 2009 at 5:23 PM, <Keegan.Holley_at_sungard.com> wrote:

    I tried this in my lab ready to say it didn't work... but then it did. I
    basically have two routers and two switches. One router plugged into
each
    switch with a trunk between them. You can only configure the access-list
    inbound but it did work. Hopefully someone will pop-up and explain why.

    Layer3 ACL on L2 Access port...Right or wrong ?

    Mohamed El Henawy
    to:
    Cisco certification
    07/22/09 05:06 PM

    Sent by:
    nobody_at_groupstudy.com
    Please respond to "Mohamed El Henawy"

    Hello Group,

    i came across this question while doing the IE LAB9

    2 Routers , 1 BB on the same LAN segment , we dont want to get updates
    from
    BB and the port on switch connected to BB has only one vlan

    question is....can we put ACL under the interface instead of using vlan
    filter
    ( vlan filter is IE answer )? is it still correct to use L3 ACL on L2
port

    I think VLAN filter wouldn't work if we have other access port on this
    switch
    under same VLAN and might need to be in the RIP too ?

    Rack2SW2#sh access-lists
    Extended IP access list 199
       10 deny udp any any eq rip
       20 permit ip any any (39 matches)

    interface FastEthernet0/24
     switchport access vlan 232
     ip access-group 199 in
     spanning-tree guard root

    Blogs and organic groups at http://www.ccie.net

    _______________________________________________________________________
    Subscription information may be found at:
    http://www.groupstudy.com/list/CCIELab.html

    Blogs and organic groups at http://www.ccie.net

    _______________________________________________________________________
    Subscription information may be found at:
    http://www.groupstudy.com/list/CCIELab.html

  --
  Andrew Lee Lissitz
  all.from.nj_at_gmail.com

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 23 2009 - 08:46:12 ART