Re: Layer3 ACL on L2 Access port...Right or wrong ? from Mohamed El Henawy on 2009-07-23 (Ccielab archives 07/2009)

From: Mohamed El Henawy <m.henawy_at_link.net>
Date: Thu, 23 Jul 2009 22:27:50 +0300

Hello Dennis ,

I didn't get hits on the deny as well only the permit but I don't see in the
rip debug anything coming from the BB on the router

----- Original Message -----
From: "Dennis Worth" <dennis.worth_at_gmail.com>
To: "Mohamed El Henawy" <m.henawy_at_link.net>
Cc: "ALL From_NJ" <all.from.nj_at_gmail.com>; <Keegan.Holley_at_sungard.com>;
"Cisco certification" <ccielab_at_groupstudy.com>; <nobody_at_groupstudy.com>
Sent: Thursday, July 23, 2009 5:28 PM
Subject: Re: Layer3 ACL on L2 Access port...Right or wrong ?

> Guys,
> I tried this, and no luck getting it to work. I may try it again later
> this
> evening, but after I applied the ACL, the the only hits I got were on the
> permit any any. The deny statement didn't get hit at all.
>
> Thanks,
>
> On Wed, Jul 22, 2009 at 10:46 PM, Mohamed El Henawy
> <m.henawy_at_link.net>wrote:
>
>> Hello Andrew ,
>>
>> LAB Requested to stop the updates coming from BB router without putting
>> any
>> configuration on the 2 routers in the segment so we can only use the
>> switch
>> connected to the BB router
>> I didn't think putting ACL will work but it worked !
>>
>>
>> BB2 R2 R3
>> |----------|------| Same Ethernet segment
>>
>>
>>
>>
>>
>>
>> ----- Original Message -----
>> From: ALL From_NJ
>> To: Keegan.Holley_at_sungard.com
>> Cc: Mohamed El Henawy ; Cisco certification ; nobody_at_groupstudy.com
>> Sent: Thursday, July 23, 2009 7:08 AM
>> Subject: Re: Layer3 ACL on L2 Access port...Right or wrong ?
>>
>>
>> Hello team,
>>
>> Mohamed, did the lab allow you to use other methods to keep from
>> learning
>> routes from this one particular router? An ACL seems to be a bit over
>> kill
>> IMO ... (thinking out loud) I suppose you could block the mcast address
>> from
>> that router ... and or run unicast routing updates.
>>
>> With an ACL, I would worry that you may block other wanted traffic.
>>
>> If you can use other methods, then which routing protocol is running
>> across
>> the 3 routers? This will help us to determine which commands we should
>> use
>> to
>> ignore or offset the 'unwanted' router.
>>
>> HTH,
>>
>> Andrew Lee Lissitz
>>
>>
>>
>>
>> On Wed, Jul 22, 2009 at 5:23 PM, <Keegan.Holley_at_sungard.com> wrote:
>>
>> I tried this in my lab ready to say it didn't work... but then it did.
>> I
>> basically have two routers and two switches. One router plugged into
>> each
>> switch with a trunk between them. You can only configure the
>> access-list
>> inbound but it did work. Hopefully someone will pop-up and explain
>> why.
>>
>>
>>
>>
>>
>>
>>
>> Layer3 ACL on L2 Access port...Right or wrong ?
>>
>> Mohamed El Henawy
>> to:
>> Cisco certification
>> 07/22/09 05:06 PM
>>
>>
>> Sent by:
>> nobody_at_groupstudy.com
>> Please respond to "Mohamed El Henawy"
>>
>>
>>
>>
>>
>>
>>
>> Hello Group,
>>
>> i came across this question while doing the IE LAB9
>>
>> 2 Routers , 1 BB on the same LAN segment , we dont want to get
>> updates
>> from
>> BB and the port on switch connected to BB has only one vlan
>>
>>
>> question is....can we put ACL under the interface instead of using
>> vlan
>> filter
>> ( vlan filter is IE answer )? is it still correct to use L3 ACL on L2
>> port
>>
>> I think VLAN filter wouldn't work if we have other access port on this
>> switch
>> under same VLAN and might need to be in the RIP too ?
>>
>> Rack2SW2#sh access-lists
>> Extended IP access list 199
>> 10 deny udp any any eq rip
>> 20 permit ip any any (39 matches)
>>
>>
>> interface FastEthernet0/24
>> switchport access vlan 232
>> ip access-group 199 in
>> spanning-tree guard root
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Andrew Lee Lissitz
>> all.from.nj_at_gmail.com
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Dennis Worth
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Jul 23 2009 - 22:27:50 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART