router CPU utilization on access lists? [7:75002]
Priscilla Oppenheimer wrote:
> Yes, that's true indeed that access lists don't cause process switching
> anymore, so wouldn't show up in IP Input.
>
Two exceptions that I failed to mention are logging and the side effect
of a de
At 10:08 PM + 9/8/03, Priscilla Oppenheimer wrote:
>Maybe a dumb question, but I know you guys can help me. :-)
>
>How would I know if a router is using excessive CPU on IP access lists?
>
>What am I looking for when I do a show processes cpu?
>
>Thanks,
>
>Priscil
Priscilla Oppenheimer wrote:
> Yes, that's true indeed that access lists don't cause process switching
> anymore, so wouldn't show up in IP Input.
>
Two exceptions that I failed to mention are logging and the side effect
of a deny. By default, a deny causes the gen
M.C. van den Bovenkamp wrote:
>
> Elijah Savage wrote:
>
> > I have actually been told by TAC before IP Input, for what it
> is worth
> > :)
>
> Not much, anymore :-). It's been a *long* time (IOS 10.x?)
> since access
> lists were process switched, and
Elijah Savage wrote:
> I have actually been told by TAC before IP Input, for what it is worth
> :)
Not much, anymore :-). It's been a *long* time (IOS 10.x?) since access
lists were process switched, and thus would show up as extra time spent
in 'IP Input'.
I have actually been told by TAC before IP Input, for what it is worth
:)
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
Sent: Monday, September 08, 2003 6:09 PM
To: [EMAIL PROTECTED]
Subject: router CPU utilization on access lists? [7:75002]
Maybe a dumb
Aren't interfaces with access-lists process switched?
So I would imagine it would be IP Input but this is rather vague as
well.
Correct me if im wrong.
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 9 September 2003 8:09 AM
To: [EMAIL PROT
> What am I looking for when I do a show processes cpu?
I believe it's "IP Input".
Marko.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=75009&t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
Priscilla Oppenheimer wrote:
> Maybe a dumb question, but I know you guys can help me. :-)
>
> How would I know if a router is using excessive CPU on IP access lists?
>
> What am I looking for when I do a show processes cpu?
>
You can't determine the portion due to
Maybe a dumb question, but I know you guys can help me. :-)
How would I know if a router is using excessive CPU on IP access lists?
What am I looking for when I do a show processes cpu?
Thanks,
Priscilla
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=75002&
ot the named
recipient, you are not authorized to use, disclose, distribute, copy, print
or rely on this email, and should immediately delete it from your computer.
-Original Message-
From: Coy, Jason (Jason) [mailto:[EMAIL PROTECTED]
Sent: Saturday, July 19, 2003 9:58 PM
To: [EMAIL PROTECTED]
Subj
I have been looking for a simple explanation as to how the three relate
and their dependencies. Example configuration from a show run:
class-map match-all VLAN200
Match access-group 103
Does the above subject all VLAN200 traffic to access group 103?
Is that access group associated with the
Hi Priscilla,
Quoting Multilayer Switching Companion Guide on p. 340...
MLS creates flows based on access lists configured on the MLS-RP...the
MLS-SE handles standard and extended access list PERMIT traffic...Route
topology changes and the addition or modification of access lists are
reflected in
nedy Clark and the other person who cleared
that up. (Great to hear from Kennedy, author of one of the best Cisco Press
books, Cisco LAN Switching. It's right up there with Doyle's books.)
The books say that MLSP flushes the MLS cache when access lists are
configured or changed, or the routing
it
and an MLS flow never get created for that L4 based connection.
Hope this helps.
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
Sent: 30 March 2003 00:10
To: [EMAIL PROTECTED]
Subject: MLS and access lists [7:66464]
With Multilayer Switching (MLS), how does
finitely knows, because you see different output
> with the "show mls" command, but how does it know? Does the
> router pass it to the switch in MLSP messages, or is there
> something more obvious that I'm missing.
>
> With some access lists, an enable packet would nev
Hi Priscilla,
Quoting Multilayer Switching Companion Guide on p. 340...
MLS creates flows based on access lists configured on the MLS-RP...the
MLS-SE handles standard and extended access list PERMIT traffic...Route
topology changes and the addition or modification of access lists are
reflected in
, not
the switch, according to descriptions of MLS.
The switch definitely knows, because you see different output with the "show
mls" command, but how does it know? Does the router pass it to the switch in
MLSP messages, or is there something more obvious that I'm missing.
With so
I guess this would depend on the media / interface that you are applying the
ACL to? EG for TR, you would use non-canonical, and if applying the address
to ethernet interface canonical.
Presumably, inbound packets from TR pass "through" any inbound ACL's, then
get converted to canonical and passe
Today I read two opposite posts about the MAC address format on MAC
access-list.
The article on 'http://www.netmasterclass.net/site/lib.php' (article
Filtering DLSW) says that one should use non canonical format.
The link
'http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ib
Hello all. I'am stumped on an access-list that i need to create. What i did
was i set up two routers using rip and put loopbacks on one of them and
advertised them in rip. I then attempted to build an access-list allowing
just these networks to pass into the other router. The router with the
loopba
, January 14, 2003 6:59 PM
To: [EMAIL PROTECTED]
Subject: applying PIX access-lists [7:61033]
I am new to PIX and have a simple question. What methods do you (PIX Admins)
use to change and apply access-lists. Unlike IOS access-lists it seems you
can remove statements from the middle of the list
plying PIX
access-lists [7:61033]
ct: Re: applying PIX access-lists [7:61033]
The deny statement is there implicitly but if you put it in as well when you
do a show access-list command you will see the staitisticsof how many times
it was "hit"
as far as your suggestion goes, it may not work as well if you have over 10
The deny statement is there implicitly but if you put it in as well when you
do a show access-list command you will see the staitisticsof how many times
it was "hit"
as far as your suggestion goes, it may not work as well if you have over 100
access-lists and you need to put one in le
ere
should already be an implicit deny ip any any.. ?
Em
-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 15 January 2003 3:29 AM
To: [EMAIL PROTECTED]
Subject: applying PIX access-lists [7:61033]
I am new to PIX and have a simple question. What methods d
able
in 6.2 that might be useful,
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech
_note09186a00800d641d.shtml
Kris.
-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 14, 2003 11:59 AM
To: [EMAIL PROTECTED]
Subject: applying
I am new to PIX and have a simple question. What methods do you (PIX Admins)
use to change and apply access-lists. Unlike IOS access-lists it seems you
can remove statements from the middle of the list. When you do this does the
change occur immediately or do you have to reapply the access-group
t begin a post to the mail list with an URL.
> Type a line of text first, then paste the URL. The filters are designed
to
> look for an URL at the top of the post, to filter out spam.
>
> BJ
>
>
> ---Original Message---
> From: Charlie
> Sent: 12/04/02 10:24 AM
&g
PROTECTED]
Subject: Re: access lists + static routing [7:58543]
> n_guide_chapter09186a00800d9816.html
This would be helpfull. I found it by searching the key words "configurring
access lists".
""Geert Loonbeek"" wrote in message
[EMAIL PROTECTED]">news:[
n_guide_chapter09186a00800d9816.html
This would be helpfull. I found it by searching the key words "configurring
access lists".
""Geert Loonbeek"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello
> I'm looking for a go
Hello
I'm looking for a good and free of charge study guide on access lists/
static routing. I'd like to take the 640-607 cisco CCNA exam.
Is there anybody who has some info on these topics.
Thanks
Geert
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i
Worked for me on 12.2(12a):
clear ip access-list counters
- Original Message -
From: "John Tafasi"
To:
Sent: Tuesday, November 12, 2002 5:22 PM
Subject: Re: Clearing access lists counters [7:57241]
> I tried this also and it did not work. He is what I did:
>
>
I tried this also and it did not work. He is what I did:
R5-2503#clear ip access-list count
R5-2503#show access-lists abc
Extended IP access list abc
Dynamic test permit ip any any
permit ip host 10.10.110.16 any (38 matches) (time left 134)
permit tcp any host 10.10.110.3 eq
although that should have worked, try clear ip access-list counter as
well I just tested this on a 3662 and both commands worked (IOS 12.1)
Tim
""John Tafasi"" wrote in message
news:20022125.VAA01591@;groupstudy.com...
> Can some one tell me how to clear access-list counters? I tried to
restart the router.
--
Curious
MCSE, CCNP
""John Tafasi"" wrote in message
news:20022125.VAA01591@;groupstudy.com...
> Can some one tell me how to clear access-list counters? I tried to use the
> command "clear access-list counters" but it did not work. Please see the
> output of the show c
Can some one tell me how to clear access-list counters? I tried to use the
command "clear access-list counters" but it did not work. Please see the
output of the show command below.
R5-2503#show access-lis abc
Extended IP access list abc
Dynamic test permit ip any any
permit ip any any (
I have 5 subnets:
172.29.10.x/24 in the U.S.
192.168.100.x/24 in the U.S.
I would like to eliminate the 192.x.x.x subnet as it is mostly redundant,
machines multihomed.
172.29.20.x/24 in Mexico
172.29.30.x/24 in Europe
172.29.40.x/24 in Mexico
Europe office has a 1720 router and E1 connection.
address is not the address of the loopback.)
> >
> > To use a basketball analogy - a direct pass won't work because
> > a blocker is
> > in the way. Instead use a bounce pass.
> >
> > > -Original Message-
> > > From: CTM CTM [mailto:[E
p StaticNAT permit 10
> match ip address StaticNAT
> set ip next-hop 2.2.2.2
> (Note the address is not the address of the loopback.)
>
> To use a basketball analogy - a direct pass won't work because
> a blocker is
> in the way. Instead use a bounce pass.
>
> > -O
om: CTM CTM [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 26, 2002 2:54 PM
> To: [EMAIL PROTECTED]
> Subject: Messing up Access Lists [7:54268]
>
>
> I've been trying to optimize communications between two
> distant routers. So
> far I've managed to lock mys
keep in mind that
> where you place the access list matters (ie if it's an "in" or "out"
> access group).
>
> -Nate
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 26, 2002 12:54 PM
> T
nal Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 12:54 PM
To: [EMAIL PROTECTED]
Subject: Messing up Access Lists [7:54268]
I've been trying to optimize communications between two distant routers.
So
far I've managed to lock myself out of th
y the same devices multihomed as 192.168.100.0/24.
I realize my NAT is messed up and I'm wrapping my head around the literature
pulled from Cisco (led to by links provided by you generous folks).
Looks like I also need to look in depth at access lists. I'm taking baby
steps but am sl
""Priscilla Oppenheimer"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Man, I certainly wouldln't want to troubleshoot a problem on a router with
> 800 extended IP access lists! I would suggest a redesign. :-)
CL: certainly goes a long
Man, I certainly wouldln't want to troubleshoot a problem on a router with
800 extended IP access lists! I would suggest a redesign. :-)
Priscilla
Chuck's Long Road wrote:
>
> ""B.J. Wilson"" wrote in message
> [EMAIL PROTECTED]">n
""B.J. Wilson"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hey Spongebob fans -
>
> I've noticed a couple of "new" access-list ranges (1300-1999 and
CL: works precisely the same way as access-lists 1-99
> 2000-2
Hey Spongebob fans -
I've noticed a couple of "new" access-list ranges (1300-1999 and
2000-2699), which may not be all that "new," but they're ones I've never
encountered before. After a cursory search on CCO, I can't find any
documentation that really explains what they really do. Anyone h
Once is a project, I was using CAR on a 7200 with 5 Fast etherner
sub-interfaces. I was using various access-lists (all of them were
Extended). CAR was limiting bith Recieving and Transmitting (SEND) traffic.
With No NPEs or additional modelus installed, the CPU time went to 40-50% in
peek times
Hi all,
My questions are regarding to CAR aka rate-limit. I have use rate-limit with
access-list but I never wonder how many policies can I create with
access-lists.
How many committed access rate policies with access-lists can be applied to
an interface?
Documentations says 100 policies (can
Paul,
You need to understand the wildcard format for access-lists. The best way to
do this is to convert your ip addresses to binary.
The beginning range address is 192.168.1.10
The ending range address is 192.168.1.15
We can quickly see that the first three octets are the same, so lets
Thangavel
What a great method - Thank you
Richard
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40907&t=40904
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nond
cc:
Sent by: Fax
to:
nobody@groupsSubject: Help with extended
access lists [7:40904]
Hello wondered if anyone can explain.
I have extended access lists working fine.
I have a few blocks of ip address I want to add to list and they are not all
consequtive. What I want to do is use the minimum entry to cover each block.
i.e
Say I had several like this 192.168.1.10 to 15 etc etc
> Can someone tell me the command sequence on a Cisco 3500
> switch to set up an ACL?
It's just like a router:
ACCESS-LIST 1 permit x.x.x.x
Then you can apply it to your line interface:
line vty 0 15
access-class 1 in
Message Posted at:
http://www.groupstudy.com/f
Can someone tell me the command sequence on a Cisco 3500 switch to set up an
ACL?
Thanks all.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40350&t=40350
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/
access-group secure2 in
exit
wr
Thanx again,
Anil Gupte
- Original Message -
From: "Tom Petzold"
To: "Anil Gupte" ;
Sent: Friday, February 22, 2002 11:35 AM
Subject: RE: Access Lists are a bit mystifying [7:36164]
> Remember the model OSI model. IP can hav
Not enought customers have asked for that feature yet. :) Was RFC 1149 the
precursor to wireless?
""John Neiberger"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hey, are you ever going to upgrade to RFC 2549 compliance? If you
> haven't already, you're behind the times by
~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~
-Original Message-
From: NetEng [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 12:39 PM
To: [EMAIL PROTECTED]
Subject: simple access-lists question [7:36240]
Why is this simple task beating me
Hey, are you ever going to upgrade to RFC 2549 compliance? If you
haven't already, you're behind the times by about three years! :-)
John
>>> "Steven A. Ridder" 2/22/02 11:43:33 AM
>>>
I believe you need something like
access-list 101 permit tcp any any eq www
you have something that permit
I believe you need something like
access-list 101 permit tcp any any eq www
you have something that permits IP protocol numbers I think. Like 6 is
tcp, 17 is udp, 9 is igrp, etc..
etc...
--
RFC 1149 Compliant.
""NetEng"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Why
Why is this simple task beating me?
I have a router with 2eth. that separates my lab from the corporate network.
I would like web/ftp/telnet access from the lab to the world and back. I
created an access list and applied it to my lab's ethernet int. This is the
list. Am I missing something?
acce
Thursday, February 21, 2002 7:59 PM
> To: [EMAIL PROTECTED]
> Subject: Access Lists are a bit mystifying [7:36164]
>
>
> Hi All!
>
> I watch this list occassionally (when I have time). This is my first post
> to this list, so be kind. :p)
>
> In the access list below:
>
gt;
> Thanx for the reply (and the kid gloves). :-)
> Anil Gupte
>
> - Original Message -
> From: "Scott Nawalaniec"
> To: "'Anil Gupte'" ;
> Sent: Thursday, February 21, 2002 10:17 PM
> Subject: RE: Access Lists are a bit mystifying [7:36164]
>
>
21, 2002 10:17 PM
Subject: RE: Access Lists are a bit mystifying [7:36164]
> Hi Anil,
>
> Sometimes its scaring posting to this group. =)
>
> To answer your question,
> if you don't the permit IP any any command, there is an implicit deny rule
> at the end of an ac
deny statements are dropping netbios port 139 and something
that uses port .
Hope this helps.
Scott
-Original Message-
From: Anil Gupte [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 21, 2002 7:59 PM
To: [EMAIL PROTECTED]
Subject: Access Lists are a bit mystifying [7:36164]
Hi Al
Hi All!
I watch this list occassionally (when I have time). This is my first post
to this list, so be kind. :p)
In the access list below:
**
conf t
int ethernet0/0
no ip access-list extended secure2
ip access-list extended secure2
deny tcp any any eq
deny tcp any any eq 139
per
Thats one of my favorites as well. Its well written and detailed, and most
importantly concise.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
kevhed
Sent: Friday, February 01, 2002 10:54 AM
To: [EMAIL PROTECTED]
Subject: Re: Access Lists [7:34023
Tim,
IMHO, you can't go wrong with "Cisco Access Lists" by Gil Held & Kent
Hundley isbn 0072123354. This is one of the few books I keep close by.
Kevin
"Fermanis Tim G Contr USAFE CSS/SCOG" wrote
in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Tim,
I found that most books are not nearly as good as the Cisco website. On CCO,
I have so far always been able to find much more info than any book can give
me, including configuration examples and various scenarios. Takes a little
more effort, but I am almost convinced that you can much more d
Cisco IOS Access Lists by Jeff Sedayao
Published by O'Reilly
ISBN 1-56592-385-5
HTH
Dom Stocqueler
"Fermanis Tim
G
C
I'm looking to buy a book on Access lists. Any recommendations?
TIA
Tim Fermanis
GCCS System Administrator
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34023&t=34023
--
FAQ, list archives, and subscripti
with the syntax for the access-lists asit's driving me
mad.
The network is addressed in the wan as follows:
r1 serial 0.0.1 = 110.1.1.1
r2 serial 0/0 = 110.2.2.2
r3 serial 0/0 = 110.3.3.3
r4 serial 0/0 = 110.4.4.4
I have tried the following acls but without success:
access-list 905 permi
EMAIL PROTECTED]
Subject: Access Lists [7:28927]
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
network when they dial in. We do not want everyone to get on the internet
when they dial-in. This is what my access list look like
access-list 110 permit ip 165.5.0.0 0.0.255.
110 deny ip any any
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
J. Johnson
Sent: Wednesday, December 12, 2001 1:24 PM
To: [EMAIL PROTECTED]
Subject: Access Lists [7:28927]
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
network
001 2:24 PM
> To: [EMAIL PROTECTED]
> Subject: Access Lists [7:28927]
>
>
> We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
> network when they dial in. We do not want everyone to get on
> the internet
> when they dial-in. This is what my acces
You don't give much info. What addresses are you handing out via your
pool? Where are you applying the acess-list?
When I had done something similiar long time ago, employees and
faculty total access, customers limited. Set up two access-lists and
access lists were applied to use
: Wednesday, December 12, 2001 11:24 AM
Subject: Access Lists [7:28927]
> We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
> network when they dial in. We do not want everyone to get on the internet
> when they dial-in. This is what my access list look like
>
>
001 2:24 PM
> To: [EMAIL PROTECTED]
> Subject: Access Lists [7:28927]
>
>
> We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
> network when they dial in. We do not want everyone to get on
> the internet
> when they dial-in. This is what my acces
Jill,
How did you apply the list? To what interface? In which direction?
Timothy Estes NA,DA
-Original Message-
From: J. Johnson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 12, 2001 2:24 PM
To: [EMAIL PROTECTED]
Subject: Access Lists [7:28927]
We have a Cisco 5300 Dial-up
specifying
your internal subnets. Not to insult, but dont' forget to apply it to an
interface.
>From: "J. Johnson"
>Reply-To: "J. Johnson"
>To: [EMAIL PROTECTED]
>Subject: Access Lists [7:28927]
>Date: Wed, 12 Dec 2001 14:24:16 -0500
>
>We have a Cisco 5
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
network when they dial in. We do not want everyone to get on the internet
when they dial-in. This is what my access list look like
access-list 110 permit ip 165.5.0.0 0.0.255.255 any
access-list 110 deny ip any any
Everyo
Are your people dialing in having to go through your company proxy server to
get to the internet? If so, they're probably talking with the proxy server,
which no doubt would have an internal address and be let through by that
access list.
Which interface are you applying this access-list? In wh
: Steve Alston
To:
Sent: Thursday, November 29, 2001 3:59 PM
Subject: Re: PIX conduit & access lists [7:26684]
> Thanks again Allen,
> Does that mean the responses to my outbound requests are allowed in by
> default? For example, my request for a web page is allowed through t
rom: Steve Alston
> To:
> Sent: Wednesday, November 28, 2001 4:08 PM
> Subject: Re: PIX conduit & access lists [7:26684]
>
>
> > Patrick & Allen,
> > Thanks for the responses -- helps loads. I'm still slightly confused.
> >
> > I did a clear condui
mp any any echo-reply
access-group 10 interface outside
(apply one to interface inside for outbound)
Allen
- Original Message -
From: Steve Alston
To:
Sent: Wednesday, November 28, 2001 4:08 PM
Subject: Re: PIX conduit & access lists [7:26684]
> Patrick & Allen,
>
ot, but a firewall always
assumes
> a
> > > deny all at the end of the access-list for inbound. Outbound is
> different
> > > since it allows all by default.
> > >
> >
> > Remeber this: Higher security level to lower security level, implicitly
> > allowed. Lo
ay.
Thanks for pointing that out though.
- Original Message -
From: Patrick W. Bass
To:
Sent: Sunday, November 25, 2001 10:14 PM
Subject: Re: PIX conduit & access lists [7:26684]
> ""Allen May"" wrote in message
> news:[EMAIL PROTECTED]...
> > I
this: Higher security level to lower security level, implicitly
allowed. Lower security level to higher security level, implicitly denied.
Otherwise it gets tricky once you start messing with multipile DMZs.
> Also, access-lists are the way to go since conduits will be phased out in
> th
I believe so.
At 10:25 AM 11/19/01 -0500, Steve Alston wrote:
>Carroll,
> Thanks for the reply. I'm using conduits now, but will switch to access
>lists in the future. (I'd like to fully understand the configuration I
>inherited before I start making changes) Are i
Carroll,
Thanks for the reply. I'm using conduits now, but will switch to access
lists in the future. (I'd like to fully understand the configuration I
inherited before I start making changes) Are implicit denys inserted behind
each conduit as well?
""Carroll Kong
Implicit denys behind every access-list are inserted. Are you
mixing conduits and access-lists? You really should not. Use ALL conduits
or ALL access-lists. If both are used, conduits take priority and override
your access-lists. Access-lists are first match, conduits are any match.
At
Does the PIX 506 require an explicit deny statement after setting up a
permit conduit or access list.
I appear to be receiving more traffic (e.g. NTP) than my conduit statements
allow.
Thanks much,
Steve
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=26684&t=26684
-
;
> 1) Change some of my IP addresses so I can place devices on each side of
the
> router on different subnets (seen from the router's view), and then set it
> up as routing instead of switching.
>
> 2) Add all the MAC addresses to the groups they belong, and then use
> access-l
If you are bridging you can only use a layer 2 access list...
Essentially you'll only be able to block traffic based on MAC addressing...
I think the layer2 access lists start at 700...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ole Drews J
I am not very lucky with this.
It seems like I have to use a 700's access-list to filter bridged interfaces
on their mac address, but that throws me into a new problem. As far as I can
see, the "time-range" option does not work on 700's access-lists - so I am
back to squarr
ad of switching.
2) Add all the MAC addresses to the groups they belong, and then use
access-lists 700-799 (mac addresses).
Both solutions sucks, so I am still looking for an easier 3rd solution.
Ole
~~~
Ole Drews Jensen
Systems Network Manager
CCNP, MCSE, MCP+I
iginal Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, October 31, 2001 10:57 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Bridging and Access-lists [7:24791]
>
>
> Ole,
>
> My thinking on this ...
>
> When your ethernet frame (L2) hi
: [EMAIL PROTECTED]
Subject: RE: Bridging and Access-lists [7:24791]
Ole,
My thinking on this ...
When your ethernet frame (L2) hits the e1 interface the router will bridge
(L2) this to the e0 interface and not route (L3) it. Therefore the IP
access-list (L3) will not be used.
I did some work a couple
way to get
this solution to work.
I have placed a Cisco 2514 on a segment so I can create access-lists to
filter traffic. I want my segment to have the same IP addresses and be on
the same network, so I have assigned the 2514 as a bridge where both
ethernet interfaces has the same IP address, and
1 - 100 of 271 matches
Mail list logo