Does anybody have any good links for VLAN Access maps and bridge ACLs? I've
gone through my Cisco library and the CCO, and haven't found much...
Thanks in advance for any help...
--- Dennis
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i
ECTED]
-Oorspronkelijk bericht-
Van: Dennis Laganiere [mailto:[EMAIL PROTECTED]
Verzonden: zondag 10 augustus 2003 22:19
Aan: [EMAIL PROTECTED]
Onderwerp: VLAN Access maps and bridge ACLs [7:73844]
Does anybody have any good links for VLAN Access maps and bridge ACLs? I've
gone
the author by replying to this message. If you are not the named
>recipient, you are not authorized to use, disclose, distribute, copy, print
>or rely on this email, and should immediately delete it from your computer.
>
>
>-Original Message-
>From: Tom Martin [mailto:[EMA
Comments are inline.
Reimer, Fred wrote:
>So would it match a network of 131.108.0.0/24? From what Cisco says, that
>it matches the classful mask if none is specified, it should not match.
>From what you say it sounds like you think it would match.
>
>
An access-list with wildcards (131.108.0
, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.
-Original Message-
From: Tom Martin [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 15, 2003 9:27 AM
To: [EMAIL PROTECTED]
Subject: Re: Standard ACLs and distribute-list [7:72253]
Fred,
If th
Fred,
If the access-list were applied as an inbound or outbound interface
filter, it would match a single host. Since the access-list is being
applied using a distribution list it doesn't match just a single host --
it matches the network 131.108.0.0 and must match every bit exactly.
It wouldn
From: Reimer, Fred [mailto:[EMAIL PROTECTED]
Sent: Monday, July 14, 2003 1:50 PM
To: [EMAIL PROTECTED]
Subject: Standard ACLs and distribute-list [7:72253]
Here's what should be a simple question.
If standard access lists are used with a distribute list, how is the mask
treated if none is sp
Here's what should be a simple question.
If standard access lists are used with a distribute list, how is the mask
treated if none is specified in an ACE? The Cisco documentation says:
"The following router configuration mode example causes only one network
(network 131.108.0.0) to be adv
and Qs or you get left behind.
Thats why I love this job!
-Original Message-
From: Bob Sinclair [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 18, 2003 9:17 AM
To: Newell Ryan D SrA 18 CS/SCBT; [EMAIL PROTECTED]
Subject: Re: CEF on 6500 and ACLs [7:63175]
Some comments in-line. It is
Some comments in-line. It is becoming (has become?) very difficult if not
impossible to tease out the "switch" from the "router" with PFC2/MSFC2.
This box has the functions of both, and they are integrated in the hardware.
For example, the Layer 2 switching engine, the Qos engine and the ACL
e
With CEF (PFC 2) if there is an adjacency for the destination host, to my
understanding, that packet will never be routed. It should just be rewritten
by the PFC 2 (SP). If this correct then these are my questions.
1. How does an IOS ACL affect the rewrite on the switch?
2. Where on th
have nothing to do with
> access-lists.
>
> All the best,
> Alexandru Barbu
> CCAI
>
>
> --- Karagozian Sarkis
> wrote: > Can someone explain what these ACLs do ???
> > When applied to an interface (in)
> >
> > Interace e0
> > !
> > !
&
traffic going out that interface.
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache same-interface
These commands commands have nothing to do with
access-lists.
All the best,
Alexandru Barbu
CCAI
--- Karagozian Sarkis
wrote: > Can someone explain what these ACLs
Not sure if IPX is used, but this will block any incoming/Outgoing IP
traffic correct...
I will investigate more and get back...
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62929&t=62843
--
FAQ, list archives, and subscription
comments in line below
""Karagozian Sarkis"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Can someone explain what these ACLs do ???
> When applied to an interface (in)
>
> Interace e0
> !
> !
> ip access-group 194 in
Can someone explain what these ACLs do ???
When applied to an interface (in)
Interace e0
!
!
ip access-group 194 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache same-interface
!
access-list 194 deny ip any any
access-list 195 deny udp any gt 1024
-address-list 700
happy hunting.
Chuck
""Vijendra Jaiswal"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello All ,
>
> Can anyone pls post a sample configuration of the MAC addresses ACLs so
as
> to restrict the MAC addresses using Acce
Hello All ,
Can anyone pls post a sample configuration of the MAC addresses ACLs so as
to restrict the MAC addresses using Access Control Lists .
Thanks in advance ,
Vijendra.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33554&
gt; > packets in a variety of ways. Check out http://www.insecure.org for some
> > informative white papers on OS fingerprinting.
> >
> > - Sean
> >
> > -Original Message-
> > From: bergenpeak [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, Janu
PROTECTED]]
> Sent: Wednesday, January 23, 2002 4:18 AM
> To: [EMAIL PROTECTED]
> Subject: ACLs, TCP segements, and the "fragments" keyword [7:32922]
>
> Looking at extended ACLs I see there's an option to define ACL
> statements which can key on whether the IP packet
fragmented
packets in a variety of ways. Check out http://www.insecure.org for some
informative white papers on OS fingerprinting.
- Sean
-Original Message-
From: bergenpeak [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 23, 2002 4:18 AM
To: [EMAIL PROTECTED]
Subject: ACLs, TCP segement
ly
> stop doing its job.
>
> You would only want to have this filter on for a short time and use it for
> logging purposes. Having it on indefinitely would make matters even worse.
>
> Other than that, I can't think of a use for such an ACL.
>
> Priscilla
>
> At 07:18
aving it on indefinitely would make matters even worse.
>
>Other than that, I can't think of a use for such an ACL.
>
>Priscilla
>
>At 07:18 AM 1/23/02, bergenpeak wrote:
>>Looking at extended ACLs I see there's an option to define ACL
>>statements which can ke
make matters even worse.
Other than that, I can't think of a use for such an ACL.
Priscilla
At 07:18 AM 1/23/02, bergenpeak wrote:
>Looking at extended ACLs I see there's an option to define ACL
>statements which can key on whether the IP packet contains a
>fragment.
>
>
I ran into something similar the other day. configured a 2610
ethernet for full-duplex which it accepted no problem. This was
conected to a 4006, 10M full-duplex, started getting duplex mismatches.
I haven't taken the time to look but me thinks the 2610 accepts
full-duplex but doesn't really su
if this is a 2948 G-L3, they do not support extended access lists. The IOS
won;t give you an error, it just won't work. The cisco site backs this up
at:
http://www.cisco.com/warp/public/473/29.html#intro
sam sneed
""Andrew L"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi e
Andrew L wrote:
> Hi everyone.
>
> I'm using a 2900 Catalyst and embarassingly enough, I cannot fully block
> myself from port 80. My ACL does block me from accessing the switch's Web
> interface, but I still surf the net.
>
> I'm on port F0/2 and my router is on F0/9. All ports are on the
VLAN access-groups act differently than routers, try switvhing it to an out
ACL instead.
MikeM
- Original Message -
From: Andrew L
To:
Sent: Tuesday, November 13, 2001 8:59 PM
Subject: ACLs Applied to VLANs [7:26175]
> Hi everyone.
>
> I'm using a 2900 Catalyst and
You need to add
IP ACCESS-GROUP 101 OUT
also to block outgoing WWW requests.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 13, 2001 7:59 PM
To: [EMAIL PROTECTED]
Subject: ACLs Applied to VLANs [7:26175]
Hi everyone.
I'm using a
Hi everyone.
I'm using a 2900 Catalyst and embarassingly enough, I cannot fully block
myself from port 80. My ACL does block me from accessing the switch's Web
interface, but I still surf the net.
I'm on port F0/2 and my router is on F0/9. All ports are on the default
VLAN.
Any help a
but does the job for the most part
Santosh Koshy
""Geoff Zinderdine"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> There is no method sufficiently granular to stop Code
> Red or CodeRed II using ACLs without blocking all
> related non-a
There is no method sufficiently granular to stop Code
Red or CodeRed II using ACLs without blocking all
related non-attack traffic... what you really need is
a stateful firewall that can block http GET requests
that contain "default.ida".
Geoff Zinderdine
CCNP MCP CCA
MTS Comm
Let me explain...
1) the methodoly used is a subset of NBAR called "class based marking
feature", which is available in ver 12.1(5)T or higher...
2) you must enable cef before you configure NBAR
go to the following link for more info
http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
How would you block code red with CEF and NBAR?
On Sun, 5 Aug 2001 19:28:10 -0400, Santosh Koshy wrote:
> Depends on your edge router you need a router that supports CEF &
> NBAR (3600, 7000, e.t.c.) with IOS 12.1(5) T or higher
>
> Thanks,
> Santosh
>
> ""Russ Kreigh"" wrote
Depends on your edge router you need a router that supports CEF &
NBAR (3600, 7000, e.t.c.) with IOS 12.1(5) T or higher
Thanks,
Santosh
""Russ Kreigh"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=149
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=14967&t=14967
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
At 07:32 PM 7/9/01, Mike Mandulak wrote:
>Thank you Pricilla, thats what I thought. Now for part 2 of this question.
>The syn w/fin packets are coming in from our internet connections, so I
>started looking at putting acls on the serial ints of these routers, I see
>that I can create
That doesn't sound valid to me. Its only purpose would be a port scan to
determine if a port is open. With that said, however, there are legitimate
reasons for doing port scans. Sometimes they are used to test which ports
are open so that those ports can be explicitly secured.
Priscilla
At 04
Would there be any valid reason for having both the syn and fin flags set in
the same packet? My IDS reports are saying that it is usually from a port
scan.
MikeM
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=11264&t=11264
--
hi here are some more:
Jun 27 00:12:43 a.b.c.1 2289: 6w5d: %SEC-6-IPACCESSLOGP: list 110 denied tcp
213.42.17.197(0) (Serial1/1 *HDLC*) -> 195.229.12.252(0), 1 packet
Jun 27 00:12:49 a.b.c.1 2290: 6w5d: %SEC-6-IPACCESSLOGP: list 110 denied tcp
213.42.17.197(0) (Serial1/1 *HDLC*) -> 195.229.12.249
hello all,
i was trying to play around with anti-spoofing ACLS on one of our test
routers connected to our upstream ISP ... i logged the denials of the
anti-spoofing acls and i saw a whole of bunch of info but i am @ a loss as
to what is happening in some cases ... this is what i applied
Another alternative is to use named access-lists, which allow you
to reference an acl using a user-defined name instead of a number.
This feature was introduced in IOS 11.2 and theoretically allows
you to create an unlimited number of acls.
HTH,
Kent
On 28 Feb 2001, at 21:37, Brian wrote
>[EMAIL PROTECTED] wrote,
>On the higher-end routers you can compile the ACLs and
>they get processed a little bit quicker. The feature
>is called Turbo ACLs. I haven't had a oppurtunity to
>be around a higher-end router long enough to really
>test them to see how
On the higher-end routers you can compile the ACLs and
they get processed a little bit quicker. The feature
is called Turbo ACLs. I haven't had a oppurtunity to
be around a higher-end router long enough to really
test them to see how much of a difference it makes.
--- "Howard C.
ate-limiting customers but we
> cannot get more than 100 ACLs per router so once we have over 100 customers
> we are compelled to install a second router.
>
>
>
> _
> FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.htm
>You need to limit your ACLs because the more ACLs your CPU usage will go up.
No, the total number of ACLs affects memory but not CPU.
The number of lines in each ACL affects CPU.
Depending on platform and switching mode, adding access-lists at ALL
is the main impact on performance and
imits right?
>From: "Plantier, William" <[EMAIL PROTECTED]>
>Reply-To: "Plantier, William" <[EMAIL PROTECTED]>
>To: "'ciscojolof'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>Subject: RE: How to stash more than 100 ACLs in a r
7;; [EMAIL PROTECTED]
Subject: RE: How to stash more than 100 ACLs in a router
Use named access lists
eg
ip access-list extended name. - only supported in ios 11.2 and above
-Original Message-
From: ciscojolof [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 28, 2001 3:51 PM
To: [EMAI
x27;s provide a solution?
Good luck.
Roger
-Original Message-
From: Plantier, William [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 28, 2001 08:10
To: 'ciscojolof'; [EMAIL PROTECTED]
Subject: RE: How to stash more than 100 ACLs in a router
You need to limit your A
Use named access lists
eg
ip access-list extended name. - only supported in ios 11.2 and above
-Original Message-
From: ciscojolof [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 28, 2001 3:51 PM
To: [EMAIL PROTECTED]
Subject: How to stash more than 100 ACLs in a router
Guys
You need to limit your ACLs because the more ACLs your CPU usage will go up.
-Original Message-
From: ciscojolof [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 28, 2001 9:51 AM
To: [EMAIL PROTECTED]
Subject: How to stash more than 100 ACLs in a router
Guys,
I have a problem, in
Guys,
I have a problem, in our network we are rate-limiting customers but we
cannot get more than 100 ACLs per router so once we have over 100 customers
we are compelled to install a second router.
_
FAQ, list archives, and subscription info: http
Hi
The basic answer is yes.
The more detailed answer is that ACLs, when edited from the CLI, are handled
in the squenial why, e.g.
permit tcp any any 80
deny ip any any log
permit tcp any any 23
The permit for telnet would be added at the end of the ACL list, and in this
case would be useless
If you add your own deny all statement at the end of an Access-List, will
all other statements then be added as well after the deny all?
_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure viol
The only thing I suggest is to keep the ACL as short as possible. I would
also enable flow based IP route caching (IP route-cache flow) on any
interfaces processing the ACL. Flow based route caching provides a more
efficient means for processing extended ACLs and will reduce the CPU
utilization
I am working mostly with Cisco 2600 routers and was considering using ACLs
to add more security. The network I administer has a firewall behind an
access router connected to the Internet. I am thinking about ACLs such as:
Allowing ICMP only from subnets our few other locations are on (so I can
Inline...
--- Chuck Larrieu <[EMAIL PROTECTED]> wrote:
> There is an interesting thread coming through on
> NANOG ( www.nanog.org )
> regarding a suspected DDoS buildup. The following in
> one message I thought
> might be of interest to us Cisco aficionados
>
> BTW - there is reportedly an extre
Rice'; [EMAIL PROTECTED]
Subject:RE: CEF RPF check w/ACLs (was: Re: netscan.org update)
What a novel idea.. :). That would put all my expect programmers out of
business though.. o well.
If there are any Cisco folks listening.. This just makes sense.
Mark
--
> -Original Messag
If you have a CSV or Excel file of the list of routers with interfaces and IP
addresses, you can build your configs using mailmergeI've only done this
with 30 routers at once...
Chris Stocker wrote:
> Is there away to make an access list to only allow telnet from the serial
> interface (ex:
Is there away to make an access list to only allow telnet from the serial
interface (ex: the /30 address on that interface) or default gateway, if the
ip address or gateway isn't known. I want to know this because I have about
500 routers I need to put this on and I want to tftp a standard config
SMTP and the internal network's policy is such that it sends SMTP to the
firewall. Apply an ACL to route the traffic right? Which begs the question
does Policy negate ACLs?? Our external net uses ip based routing, if that
helps.
___
UPDATED Posting Guide
access-list 700-799
hope this help.
Cheers, Eric
"_ tlgerber" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Is there a way to configure a cisco router to filter packets by a hosts'
> physical address rather then its' logical addresses?
>
> Thanks Tom
> __
"_ tlgerber" <[EMAIL PROTECTED]>@groupstudy.com on 06/20/2000 02:35:23
PM
Please respond to "_ tlgerber" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc:
Subject: ACLs using MAC addresses
Is there a way to configure a cisco rou
--- _ tlgerber <[EMAIL PROTECTED]> wrote:
> Is there a way to configure a cisco router to filter
> packets by a hosts'
> physical address rather then its' logical addresses?
>
> Thanks Tom
You can use the access list range 700-799 for normal
access list and from 1100-1199 for extended access
li
Is there a way to configure a cisco router to filter packets by a hosts'
physical address rather then its' logical addresses?
Thanks Tom
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
65 matches
Mail list logo