Re: Layer3 ACL on L2 Access port...Right or wrong ?

I actually saw the same thing. My setup was simple so I could see traffic
being denied, but the counters on the acl did not increment. Just for
testing try deny any any.

From:
Dennis Worth <dennis.worth_at_gmail.com>
To:
Mohamed El Henawy <m.henawy_at_link.net>
Cc:
ALL From_NJ <all.from.nj_at_gmail.com>, Keegan.Holley_at_sungard.com, Cisco
certification <ccielab_at_groupstudy.com>, nobody_at_groupstudy.com
Date:
07/23/2009 10:31 AM
Subject:
Re: Layer3 ACL on L2 Access port...Right or wrong ?
Sent by:
nobody_at_groupstudy.com

Guys,
I tried this, and no luck getting it to work. I may try it again later
this
evening, but after I applied the ACL, the the only hits I got were on the
permit any any. The deny statement didn't get hit at all.

Thanks,

On Wed, Jul 22, 2009 at 10:46 PM, Mohamed El Henawy
<m.henawy_at_link.net>wrote:

> Hello Andrew ,
>
> LAB Requested to stop the updates coming from BB router without putting
any
> configuration on the 2 routers in the segment so we can only use the
switch
> connected to the BB router
> I didn't think putting ACL will work but it worked !
>
>
> BB2 R2 R3
> |----------|------| Same Ethernet segment
>
>
>
>
>
>
> ----- Original Message -----
> From: ALL From_NJ
> To: Keegan.Holley_at_sungard.com
> Cc: Mohamed El Henawy ; Cisco certification ; nobody_at_groupstudy.com
> Sent: Thursday, July 23, 2009 7:08 AM
> Subject: Re: Layer3 ACL on L2 Access port...Right or wrong ?
>
>
> Hello team,
>
> Mohamed, did the lab allow you to use other methods to keep from
learning
> routes from this one particular router? An ACL seems to be a bit over
kill
> IMO ... (thinking out loud) I suppose you could block the mcast address
> from
> that router ... and or run unicast routing updates.
>
> With an ACL, I would worry that you may block other wanted traffic.
>
> If you can use other methods, then which routing protocol is running
> across
> the 3 routers? This will help us to determine which commands we should
use
> to
> ignore or offset the 'unwanted' router.
>
> HTH,
>
> Andrew Lee Lissitz
>
>
>
>
> On Wed, Jul 22, 2009 at 5:23 PM, <Keegan.Holley_at_sungard.com> wrote:
>
> I tried this in my lab ready to say it didn't work... but then it
did.
> I
> basically have two routers and two switches. One router plugged into
> each
> switch with a trunk between them. You can only configure the
> access-list
> inbound but it did work. Hopefully someone will pop-up and explain
why.
>
>
>
>
>
>
>
> Layer3 ACL on L2 Access port...Right or wrong ?
>
> Mohamed El Henawy
> to:
> Cisco certification
> 07/22/09 05:06 PM
>
>
> Sent by:
> nobody_at_groupstudy.com
> Please respond to "Mohamed El Henawy"
>
>
>
>
>
>
>
> Hello Group,
>
> i came across this question while doing the IE LAB9
>
> 2 Routers , 1 BB on the same LAN segment , we dont want to get
updates
> from
> BB and the port on switch connected to BB has only one vlan
>
>
> question is....can we put ACL under the interface instead of using
vlan
> filter
> ( vlan filter is IE answer )? is it still correct to use L3 ACL on L2
> port
>
> I think VLAN filter wouldn't work if we have other access port on
this
> switch
> under same VLAN and might need to be in the RIP too ?
>
> Rack2SW2#sh access-lists
> Extended IP access list 199
> 10 deny udp any any eq rip
> 20 permit ip any any (39 matches)
>
>
> interface FastEthernet0/24
> switchport access vlan 232
> ip access-group 199 in
> spanning-tree guard root
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Dennis Worth
Blogs and organic groups at http://www.ccie.net