Andrew L wrote: > Hi everyone. > > I'm using a 2900 Catalyst and embarassingly enough, I cannot fully block > myself from port 80. My ACL does block me from accessing the switch's Web > interface, but I still surf the net. > > I'm on port F0/2 and my router is on F0/9. All ports are on the default > VLAN. > > Any help appreciated. Thanks in advance! > > interface VLAN1 > ip address 192.168.0.5 255.255.255.0 > ip access-group 101 in > no ip directed-broadcast > no ip route-cache > ! > access-list 101 deny tcp any any eq www > access-list 101 permit ip any any Andrew,
1. Most 2900 series switches that I've worked with didn't have layer 3 capabilities.Which model of 2900 is this, anyway? [2948G-L3 ?] 2. You don't give the IP address of the Internet router, but I'll assume it's just plugged into VLAN1 like everything else. I'm still a bit confused on the model so I'll just pretend it's a 6500 with MSFC. I think your problem may be that all ports are on the default VLAN. You are initializing an internal router interface on the single VLAN but where is it going to route to? For a router to work, it needs two interfaces, which means you need two VLANs so that packets on one VLAN can route to the other. Further, if your external router and workstation are on the same VLAN/subnet the internal switch router will be ignored. If you want to see something happen, put your workstation on one VLAN and assign the VLAN and your workstation to subnet 1 (choose your IP addresses). Then put the external Internet router on another VLAN/subnet (subnet 2) and assign that subnet a different set of IP addresses. Now the PC will be forced to route through the internal switch's router to get out to the Internet. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26181&t=26175 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]