Re: Layer3 ACL on L2 Access port...Right or wrong ?

sweet! Thanks for this!

On Thu, Jul 23, 2009 at 1:46 AM, Mohamed El Henawy <m.henawy_at_link.net>wrote:

> Hello Andrew ,
>
> LAB Requested to stop the updates coming from BB router without putting any
> configuration on the 2 routers in the segment so we can only use the switch
> connected to the BB router
> I didn't think putting ACL will work but it worked !
>
>
> BB2 R2 R3
> |----------|------| Same Ethernet segment
>
>
>
>
>
>
>
> ----- Original Message -----
> *From:* ALL From_NJ <all.from.nj_at_gmail.com>
> *To:* Keegan.Holley_at_sungard.com
> *Cc:* Mohamed El Henawy <m.henawy_at_link.net> ; Cisco certification<ccielab_at_groupstudy.com>;
> nobody_at_groupstudy.com
> *Sent:* Thursday, July 23, 2009 7:08 AM
> *Subject:* Re: Layer3 ACL on L2 Access port...Right or wrong ?
>
> Hello team,
>
> Mohamed, did the lab allow you to use other methods to keep from learning
> routes from this one particular router? An ACL seems to be a bit over kill
> IMO ... (thinking out loud) I suppose you could block the mcast address from
> that router ... and or run unicast routing updates.
>
> With an ACL, I would worry that you may block other wanted traffic.
>
> If you can use other methods, then which routing protocol is running across
> the 3 routers? This will help us to determine which commands we should use
> to ignore or offset the 'unwanted' router.
>
> HTH,
>
> Andrew Lee Lissitz
>
>
>
> On Wed, Jul 22, 2009 at 5:23 PM, <Keegan.Holley_at_sungard.com> wrote:
>
>> I tried this in my lab ready to say it didn't work... but then it did. I
>> basically have two routers and two switches. One router plugged into each
>> switch with a trunk between them. You can only configure the access-list
>> inbound but it did work. Hopefully someone will pop-up and explain why.
>>
>>
>>
>>
>>
>>
>>
>> Layer3 ACL on L2 Access port...Right or wrong ?
>>
>> Mohamed El Henawy
>> to:
>> Cisco certification
>> 07/22/09 05:06 PM
>>
>>
>> Sent by:
>> nobody_at_groupstudy.com
>> Please respond to "Mohamed El Henawy"
>>
>>
>>
>>
>>
>>
>> Hello Group,
>>
>> i came across this question while doing the IE LAB9
>>
>> 2 Routers , 1 BB on the same LAN segment , we dont want to get updates
>> from
>> BB and the port on switch connected to BB has only one vlan
>>
>>
>> question is....can we put ACL under the interface instead of using vlan
>> filter
>> ( vlan filter is IE answer )? is it still correct to use L3 ACL on L2 port
>>
>> I think VLAN filter wouldn't work if we have other access port on this
>> switch
>> under same VLAN and might need to be in the RIP too ?
>>
>> Rack2SW2#sh access-lists
>> Extended IP access list 199
>> 10 deny udp any any eq rip
>> 20 permit ip any any (39 matches)
>>
>>
>> interface FastEthernet0/24
>> switchport access vlan 232
>> ip access-group 199 in
>> spanning-tree guard root
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>

-- 
Andrew Lee Lissitz
all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net