RE: Problem with access-list [7:43021]
OK, I'm not an all-powerful CCIE, but I'll take a stab at this. Applying an access list to a switch is only going to limit access to and from your management interface. Switched traffic through the switch is still switched traffic, and by and large, a switch doesn't ever look at IP information, thus wouldn't filter anything based on an IP address. That would explain why you can't ping the host from the switch (I'd imagine you are getting a Request Timed Out) but the traffic from the outside world still gets through. Also, What's up with the 2000 access list? Would not an extended IP list be 100-199? --Tim Christian Fredrickson wrote: Running a Cisco switch 3548XL Trying to block a specific IP address. The access-list looks like: (I substituted the IP addresses) access-list 2000 deny ip host ip_address any access-list 2000 permit ip range.0 0.0.0.255 any access-list 2000 deny ip any any All ports on this switch belong to the same VLAN and all other switches use this switch to get to the upper layer switch and use that to get to the router. The vlan looks like: (I substituted the IP addresses) interface VLAN1 description line ip address switch_ip 255.255.255.0 ip access-group 2000 in But I can still ping the host from external addresses. Why is this ACL not working? Thank you all in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43117t=43021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Problem with access-list [7:43021]
Also, What's up with the 2000 access list? Would not an extended IP list be 100-199? 2000-2699 are also extended IP lists. Cisco calls them expanded range :-). Sort of reminds me of expanded and extended memory in DOS days ;-) Marko. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43136t=43021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Problem with access-list [7:43021]
well, that's a bit twisted. :-) I guess those 200 other IP access lists were not enough? I fear the router which can use them all and still somehow forward packets. I'm curious to find if I was correct on the other bit, though... The access list should only apply to the Management functions on the switch, right? Just because it's an IOS switch doesn't mean it has routing functions. Switched traffic would not be effected by an access list applied to the switch. It would only limit traffic from the specified host from, say, telnetting into the sc0 (or keep pings from returning). The rest of the time, the switch will keep on passing traffic based on Layer 2 information, and never pay attention to Layer 3. --Tim, I so much want to be right on this... :-) Marko Milivojevic wrote: Also, What's up with the 2000 access list? Would not an extended IP list be 100-199? 2000-2699 are also extended IP lists. Cisco calls them expanded range :-). Sort of reminds me of expanded and extended memory in DOS days ;-) Marko. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43137t=43021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Problem with access-list [7:43021]
ip extended access-lists are 100-199,2000-2699 I think Tim is correct, if your attempting to block pings between two devices on the same VLAN your not going to do it on the router. Dave timothy thielen wrote: OK, I'm not an all-powerful CCIE, but I'll take a stab at this. Applying an access list to a switch is only going to limit access to and from your management interface. Switched traffic through the switch is still switched traffic, and by and large, a switch doesn't ever look at IP information, thus wouldn't filter anything based on an IP address. That would explain why you can't ping the host from the switch (I'd imagine you are getting a Request Timed Out) but the traffic from the outside world still gets through. Also, What's up with the 2000 access list? Would not an extended IP list be 100-199? --Tim Christian Fredrickson wrote: Running a Cisco switch 3548XL Trying to block a specific IP address. The access-list looks like: (I substituted the IP addresses) access-list 2000 deny ip host ip_address any access-list 2000 permit ip range.0 0.0.0.255 any access-list 2000 deny ip any any All ports on this switch belong to the same VLAN and all other switches use this switch to get to the upper layer switch and use that to get to the router. The vlan looks like: (I substituted the IP addresses) interface VLAN1 description line ip address switch_ip 255.255.255.0 ip access-group 2000 in But I can still ping the host from external addresses. Why is this ACL not working? Thank you all in advance. -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43144t=43021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Problem with access-list [7:43021]
I don't think you can filter based on MAC with Ethernet... There is a technology in which you can, but I'm drawing a blank on what it was. I think it was Token Ring only or some such nonsense. I think that it's irrelevant, however, since it's still a router function and the switching engine is still going to blissfully forward packets and ignore your access-lists. --Tim Christian Fredrickson wrote: IP standard access list IP extended access list IP standard access list (expanded range) IP extended access list (expanded range) Then is it possible to create an access list based on the host MAC address? Chris -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 02, 2002 8:36 AM To: [EMAIL PROTECTED] Subject: RE: Problem with access-list [7:43021] OK, I'm not an all-powerful CCIE, but I'll take a stab at this. Applying an access list to a switch is only going to limit access to and from your management interface. Switched traffic through the switch is still switched traffic, and by and large, a switch doesn't ever look at IP information, thus wouldn't filter anything based on an IP address. That would explain why you can't ping the host from the switch (I'd imagine you are getting a Request Timed Out) but the traffic from the outside world still gets through. Also, What's up with the 2000 access list? Would not an extended IP list be 100-199? --Tim Christian Fredrickson wrote: Running a Cisco switch 3548XL Trying to block a specific IP address. The access-list looks like: (I substituted the IP addresses) access-list 2000 deny ip host ip_address any access-list 2000 permit ip range.0 0.0.0.255 any access-list 2000 deny ip any any All ports on this switch belong to the same VLAN and all other switches use this switch to get to the upper layer switch and use that to get to the router. The vlan looks like: (I substituted the IP addresses) interface VLAN1 description line ip address switch_ip 255.255.255.0 ip access-group 2000 in But I can still ping the host from external addresses. Why is this ACL not working? Thank you all in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43153t=43021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Problem with access-list [7:43021]
Also, once this access-list is in place, I cannot ping that address from the switch, but I can ping it from any other machine. I have also blocked icmp to that host using the same access-list and all addresses excepting the switch can ping the host that should be blocked. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Christian Fredrickson Sent: Wednesday, May 01, 2002 2:02 PM To: [EMAIL PROTECTED] Subject: Problem with access-list [7:43021] Running a Cisco switch 3548XL Trying to block a specific IP address. The access-list looks like: (I substituted the IP addresses) access-list 2000 deny ip host ip_address any access-list 2000 permit ip range.0 0.0.0.255 any access-list 2000 deny ip any any All ports on this switch belong to the same VLAN and all other switches use this switch to get to the upper layer switch and use that to get to the router. The vlan looks like: (I substituted the IP addresses) interface VLAN1 description line ip address switch_ip 255.255.255.0 ip access-group 2000 in But I can still ping the host from external addresses. Why is this ACL not working? Thank you all in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43039t=43021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Problem with access-list [7:43021]
Extended access list can have number between 100-199. I don't know if 2000 will work .. But hey, I am not sure if this is true... I may be very silly here ... - Original Message - From: Christian Fredrickson To: Sent: Wednesday, May 01, 2002 1:01 PM Subject: Problem with access-list [7:43021] Running a Cisco switch 3548XL Trying to block a specific IP address. The access-list looks like: (I substituted the IP addresses) access-list 2000 deny ip host ip_address any access-list 2000 permit ip range.0 0.0.0.255 any access-list 2000 deny ip any any All ports on this switch belong to the same VLAN and all other switches use this switch to get to the upper layer switch and use that to get to the router. The vlan looks like: (I substituted the IP addresses) interface VLAN1 description line ip address switch_ip 255.255.255.0 ip access-group 2000 in But I can still ping the host from external addresses. Why is this ACL not working? Thank you all in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43042t=43021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Problem with access-list [7:43021]
If this is an IOS switch: If you are trying to filter an IP address. Use ACL number between 1-99. e.g access-list 1 deny host 172.16.1.1 access-list 1 permit any PING Christian Fredrickson wrote: Running a Cisco switch 3548XL Trying to block a specific IP address. The access-list looks like: (I substituted the IP addresses) access-list 2000 deny ip host ip_address any access-list 2000 permit ip range.0 0.0.0.255 any access-list 2000 deny ip any any All ports on this switch belong to the same VLAN and all other switches use this switch to get to the upper layer switch and use that to get to the router. The vlan looks like: (I substituted the IP addresses) interface VLAN1 description line ip address switch_ip 255.255.255.0 ip access-group 2000 in But I can still ping the host from external addresses. Why is this ACL not working? Thank you all in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43045t=43021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]