I think that would work, however, I would then look at layer 2 addresses instead of layer 3 addresses, and controlling a group of people who can access the web all the time, another group who can access it in certain time frames, and a third group that cannot access it - would be a nightmare to control with MAC addresses, instead of simply an array of IP addresses specified by a wildcard.
Hmm, I got to dig a little more... Thanks, Ole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.RouterChief.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 10:57 AM To: [EMAIL PROTECTED] Subject: RE: Bridging and Access-lists [7:24791] Ole, My thinking on this ... When your ethernet frame (L2) hits the e1 interface the router will bridge (L2) this to the e0 interface and not route (L3) it. Therefore the IP access-list (L3) will not be used. I did some work a couple of years ago on a dial-on-demand Bridging solution. After a lot of head scratching we learned about extended bridging ACLs, maybe you could use these? I think they are range 1000 to 1100, you will need to check this. What do you think? Steven Dangerfield CCNP, CCSA, CSE -----Original Message----- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: 31 October 2001 16:08 To: [EMAIL PROTECTED] Subject: Bridging and Access-lists [7:24791] I have an ethernet segment that I would like to put some restrictions on, and after having played around with several solutions, I came to one that I believe is the best. Please do not reply with "why don't you use the firewall", or similar suggestions - because I am looking for a way to get this solution to work. I have placed a Cisco 2514 on a segment so I can create access-lists to filter traffic. I want my segment to have the same IP addresses and be on the same network, so I have assigned the 2514 as a bridge where both ethernet interfaces has the same IP address, and are in the same bridge-group. IP routing has been disabled. This all works fine, except that any access-lists I create on any of the two ethernet interfaces does not block anything at all - it's like access-lists are being ignored when the interfaces works in bridging mode. Here's how it looks very simpyfied: internet---router---firewall---2514---switch---users and servers A part of the config: no ip routing ! interface Ethernet0 ip address 10.25.14.1 255.0.0.0 no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! interface Ethernet1 ip address 10.25.14.1 255.0.0.0 ip access-group 100 in no ip directed-broadcast no ip route-cache no mop enabled bridge-group 1 ! bridge 1 protocol dec ! ip classless ! access-list 100 deny ip any any ! The e0 interface is connected to the firewall, the gateway router, and eventually the Internet. The e1 interface is connected to the switch connecting a workstation. >From that workstation I am browsing the web, but even with the "deny ip any any", I can keep browsing without being blocked. Can someone explain this, and perhaps come up with a solution to fix this problem on this router? Thanks in advance, Ole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.RouterChief.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24800&t=24791 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]