I know you said in the initial set up that you didn't want a firewall comment however I may have a solution that you are interested in. The NetScreen firewalls can operate in what is called transparent mode. It then is a layer 2 filter that does wire speed packet inspection for layer 3/4 rules. Way cool stuff. It doesn't have actual IP addresses on the actual Ethernet Interfaces, it does have an IP for management of the Netscreen. My understanding is it acts like a bridge however it can still inspect packets and apply rules based on layer 2/4 rules. That might do what you are looking for.
Regards, Ed ""Ole Drews Jensen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > It works as I said, and yes I have wondered why it set it to DEC, but I used > the auto setup procedure during startup after an erase star command, and > said yes to put both ethernet interfaces in bridging mode. It came up and > did the bridge 1 protocol dec by itself. > > And I have tried to use the IEEE instead without any differences related to > my problem. > > As I see it now - I would have to do one of two things: > > 1) Change some of my IP addresses so I can place devices on each side of the > router on different subnets (seen from the router's view), and then set it > up as routing instead of switching. > > 2) Add all the MAC addresses to the groups they belong, and then use > access-lists 700-799 (mac addresses). > > Both solutions sucks, so I am still looking for an easier 3rd solution. > > Ole > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Ole Drews Jensen > Systems Network Manager > CCNP, MCSE, MCP+I > RWR Enterprises, Inc. > [EMAIL PROTECTED] > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > http://www.RouterChief.com > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > NEED A JOB ??? > http://www.oledrews.com/job > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > -----Original Message----- > From: Ed Horley [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 31, 2001 12:31 PM > To: [EMAIL PROTECTED] > Subject: Re: Bridging and Access-lists [7:24791] > > > Is there a good reason that the bridge is set up as protocol dec? I don't > know if it would work the way you have it configured using ieee instead. > Just a thought. > > Ed > > ""Ole Drews Jensen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I think that would work, however, I would then look at layer 2 addresses > > instead of layer 3 addresses, and controlling a group of people who can > > access the web all the time, another group who can access it in certain > time > > frames, and a third group that cannot access it - would be a nightmare to > > control with MAC addresses, instead of simply an array of IP addresses > > specified by a wildcard. > > > > Hmm, I got to dig a little more... > > > > Thanks, > > > > Ole > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Ole Drews Jensen > > Systems Network Manager > > CCNP, MCSE, MCP+I > > RWR Enterprises, Inc. > > [EMAIL PROTECTED] > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > http://www.RouterChief.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > NEED A JOB ??? > > http://www.oledrews.com/job > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, October 31, 2001 10:57 AM > > To: [EMAIL PROTECTED] > > Subject: RE: Bridging and Access-lists [7:24791] > > > > > > Ole, > > > > My thinking on this ... > > > > When your ethernet frame (L2) hits the e1 interface the router will bridge > > (L2) this to the e0 interface and not route (L3) it. Therefore the IP > > access-list (L3) will not be used. > > > > I did some work a couple of years ago on a dial-on-demand Bridging > solution. > > After a lot of head scratching we learned about extended bridging ACLs, > > maybe you could use these? > > > > I think they are range 1000 to 1100, you will need to check this. > > > > What do you think? > > > > Steven Dangerfield CCNP, CCSA, CSE > > > > -----Original Message----- > > From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] > > Sent: 31 October 2001 16:08 > > To: [EMAIL PROTECTED] > > Subject: Bridging and Access-lists [7:24791] > > > > > > I have an ethernet segment that I would like to put some restrictions on, > > and after having played around with several solutions, I came to one that > I > > believe is the best. Please do not reply with "why don't you use the > > firewall", or similar suggestions - because I am looking for a way to get > > this solution to work. > > > > I have placed a Cisco 2514 on a segment so I can create access-lists to > > filter traffic. I want my segment to have the same IP addresses and be on > > the same network, so I have assigned the 2514 as a bridge where both > > ethernet interfaces has the same IP address, and are in the same > > bridge-group. IP routing has been disabled. > > > > This all works fine, except that any access-lists I create on any of the > two > > ethernet interfaces does not block anything at all - it's like > access-lists > > are being ignored when the interfaces works in bridging mode. > > > > Here's how it looks very simpyfied: > > > > internet---router---firewall---2514---switch---users and servers > > > > A part of the config: > > > > no ip routing > > ! > > interface Ethernet0 > > ip address 10.25.14.1 255.0.0.0 > > no ip directed-broadcast > > no ip route-cache > > no mop enabled > > bridge-group 1 > > ! > > interface Ethernet1 > > ip address 10.25.14.1 255.0.0.0 > > ip access-group 100 in > > no ip directed-broadcast > > no ip route-cache > > no mop enabled > > bridge-group 1 > > ! > > bridge 1 protocol dec > > ! > > ip classless > > ! > > access-list 100 deny ip any any > > ! > > > > The e0 interface is connected to the firewall, the gateway router, and > > eventually the Internet. > > The e1 interface is connected to the switch connecting a workstation. > > > > From that workstation I am browsing the web, but even with the "deny ip > any > > any", I can keep browsing without being blocked. > > > > Can someone explain this, and perhaps come up with a solution to fix this > > problem on this router? > > > > Thanks in advance, > > > > Ole > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Ole Drews Jensen > > Systems Network Manager > > CCNP, MCSE, MCP+I > > RWR Enterprises, Inc. > > [EMAIL PROTECTED] > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > http://www.RouterChief.com > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > NEED A JOB ??? > > http://www.oledrews.com/job > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24843&t=24791 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
