Is there a good reason that the bridge is set up as protocol dec? I don't know if it would work the way you have it configured using ieee instead. Just a thought.
Ed ""Ole Drews Jensen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I think that would work, however, I would then look at layer 2 addresses > instead of layer 3 addresses, and controlling a group of people who can > access the web all the time, another group who can access it in certain time > frames, and a third group that cannot access it - would be a nightmare to > control with MAC addresses, instead of simply an array of IP addresses > specified by a wildcard. > > Hmm, I got to dig a little more... > > Thanks, > > Ole > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Ole Drews Jensen > Systems Network Manager > CCNP, MCSE, MCP+I > RWR Enterprises, Inc. > [EMAIL PROTECTED] > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > http://www.RouterChief.com > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > NEED A JOB ??? > http://www.oledrews.com/job > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 31, 2001 10:57 AM > To: [EMAIL PROTECTED] > Subject: RE: Bridging and Access-lists [7:24791] > > > Ole, > > My thinking on this ... > > When your ethernet frame (L2) hits the e1 interface the router will bridge > (L2) this to the e0 interface and not route (L3) it. Therefore the IP > access-list (L3) will not be used. > > I did some work a couple of years ago on a dial-on-demand Bridging solution. > After a lot of head scratching we learned about extended bridging ACLs, > maybe you could use these? > > I think they are range 1000 to 1100, you will need to check this. > > What do you think? > > Steven Dangerfield CCNP, CCSA, CSE > > -----Original Message----- > From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] > Sent: 31 October 2001 16:08 > To: [EMAIL PROTECTED] > Subject: Bridging and Access-lists [7:24791] > > > I have an ethernet segment that I would like to put some restrictions on, > and after having played around with several solutions, I came to one that I > believe is the best. Please do not reply with "why don't you use the > firewall", or similar suggestions - because I am looking for a way to get > this solution to work. > > I have placed a Cisco 2514 on a segment so I can create access-lists to > filter traffic. I want my segment to have the same IP addresses and be on > the same network, so I have assigned the 2514 as a bridge where both > ethernet interfaces has the same IP address, and are in the same > bridge-group. IP routing has been disabled. > > This all works fine, except that any access-lists I create on any of the two > ethernet interfaces does not block anything at all - it's like access-lists > are being ignored when the interfaces works in bridging mode. > > Here's how it looks very simpyfied: > > internet---router---firewall---2514---switch---users and servers > > A part of the config: > > no ip routing > ! > interface Ethernet0 > ip address 10.25.14.1 255.0.0.0 > no ip directed-broadcast > no ip route-cache > no mop enabled > bridge-group 1 > ! > interface Ethernet1 > ip address 10.25.14.1 255.0.0.0 > ip access-group 100 in > no ip directed-broadcast > no ip route-cache > no mop enabled > bridge-group 1 > ! > bridge 1 protocol dec > ! > ip classless > ! > access-list 100 deny ip any any > ! > > The e0 interface is connected to the firewall, the gateway router, and > eventually the Internet. > The e1 interface is connected to the switch connecting a workstation. > > From that workstation I am browsing the web, but even with the "deny ip any > any", I can keep browsing without being blocked. > > Can someone explain this, and perhaps come up with a solution to fix this > problem on this router? > > Thanks in advance, > > Ole > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Ole Drews Jensen > Systems Network Manager > CCNP, MCSE, MCP+I > RWR Enterprises, Inc. > [EMAIL PROTECTED] > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > http://www.RouterChief.com > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > NEED A JOB ??? > http://www.oledrews.com/job > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24808&t=24791 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
