RE: router CPU utilization on access lists? [7:75002]

router CPU utilization on access lists? [7:75002] Priscilla Oppenheimer wrote: > Yes, that's true indeed that access lists don't cause process switching > anymore, so wouldn't show up in IP Input. > Two exceptions that I failed to mention are logging and the side effect of a de

Re: router CPU utilization on access lists? [7:75002]

At 10:08 PM + 9/8/03, Priscilla Oppenheimer wrote: >Maybe a dumb question, but I know you guys can help me. :-) > >How would I know if a router is using excessive CPU on IP access lists? > >What am I looking for when I do a show processes cpu? > >Thanks, > >Priscil

Re: router CPU utilization on access lists? [7:75002]

Priscilla Oppenheimer wrote: > Yes, that's true indeed that access lists don't cause process switching > anymore, so wouldn't show up in IP Input. > Two exceptions that I failed to mention are logging and the side effect of a deny. By default, a deny causes the gen

Re: router CPU utilization on access lists? [7:75002]

M.C. van den Bovenkamp wrote: > > Elijah Savage wrote: > > > I have actually been told by TAC before IP Input, for what it > is worth > > :) > > Not much, anymore :-). It's been a *long* time (IOS 10.x?) > since access > lists were process switched, and

Re: router CPU utilization on access lists? [7:75002]

Elijah Savage wrote: > I have actually been told by TAC before IP Input, for what it is worth > :) Not much, anymore :-). It's been a *long* time (IOS 10.x?) since access lists were process switched, and thus would show up as extra time spent in 'IP Input'.

RE: router CPU utilization on access lists? [7:75002]

I have actually been told by TAC before IP Input, for what it is worth :) -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Monday, September 08, 2003 6:09 PM To: [EMAIL PROTECTED] Subject: router CPU utilization on access lists? [7:75002] Maybe a dumb

RE: router CPU utilization on access lists? [7:75002]

Aren't interfaces with access-lists process switched? So I would imagine it would be IP Input but this is rather vague as well. Correct me if im wrong. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: Tuesday, 9 September 2003 8:09 AM To: [EMAIL PROT

Re: router CPU utilization on access lists? [7:75002]

> What am I looking for when I do a show processes cpu? I believe it's "IP Input". Marko. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75009&t=75002 -- **Please support GroupStudy by purchasing from the GroupStudy Store:

Re: router CPU utilization on access lists? [7:75002]

Priscilla Oppenheimer wrote: > Maybe a dumb question, but I know you guys can help me. :-) > > How would I know if a router is using excessive CPU on IP access lists? > > What am I looking for when I do a show processes cpu? > You can't determine the portion due to

router CPU utilization on access lists? [7:75002]

Maybe a dumb question, but I know you guys can help me. :-) How would I know if a router is using excessive CPU on IP access lists? What am I looking for when I do a show processes cpu? Thanks, Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75002&

RE: class-map, access-lists, access-groups, and policy maps [7:72661]

ot the named recipient, you are not authorized to use, disclose, distribute, copy, print or rely on this email, and should immediately delete it from your computer. -Original Message- From: Coy, Jason (Jason) [mailto:[EMAIL PROTECTED] Sent: Saturday, July 19, 2003 9:58 PM To: [EMAIL PROTECTED] Subj

class-map, access-lists, access-groups, and policy maps [7:72643]

I have been looking for a simple explanation as to how the three relate and their dependencies. Example configuration from a show run: class-map match-all VLAN200 Match access-group 103 Does the above subject all VLAN200 traffic to access group 103? Is that access group associated with the

RE: MLS and access lists [7:66464]

Hi Priscilla, Quoting Multilayer Switching Companion Guide on p. 340... MLS creates flows based on access lists configured on the MLS-RP...the MLS-SE handles standard and extended access list PERMIT traffic...Route topology changes and the addition or modification of access lists are reflected in

RE: MLS and access lists [7:66464]

nedy Clark and the other person who cleared that up. (Great to hear from Kennedy, author of one of the best Cisco Press books, Cisco LAN Switching. It's right up there with Doyle's books.) The books say that MLSP flushes the MLS cache when access lists are configured or changed, or the routing

RE: MLS and access lists [7:66464]

it and an MLS flow never get created for that L4 based connection. Hope this helps. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: 30 March 2003 00:10 To: [EMAIL PROTECTED] Subject: MLS and access lists [7:66464] With Multilayer Switching (MLS), how does

RE: MLS and access lists [7:66464]

finitely knows, because you see different output > with the "show mls" command, but how does it know? Does the > router pass it to the switch in MLSP messages, or is there > something more obvious that I'm missing. > > With some access lists, an enable packet would nev

RE: MLS and access lists [7:66464]

Hi Priscilla, Quoting Multilayer Switching Companion Guide on p. 340... MLS creates flows based on access lists configured on the MLS-RP...the MLS-SE handles standard and extended access list PERMIT traffic...Route topology changes and the addition or modification of access lists are reflected in

MLS and access lists [7:66464]

, not the switch, according to descriptions of MLS. The switch definitely knows, because you see different output with the "show mls" command, but how does it know? Does the router pass it to the switch in MLSP messages, or is there something more obvious that I'm missing. With so

RE: MAC Access Lists - Canonical or NonCanonical [7:64754]

I guess this would depend on the media / interface that you are applying the ACL to? EG for TR, you would use non-canonical, and if applying the address to ethernet interface canonical. Presumably, inbound packets from TR pass "through" any inbound ACL's, then get converted to canonical and passe

MAC Access Lists - Canonical or NonCanonical [7:64754]

Today I read two opposite posts about the MAC address format on MAC access-list. The article on 'http://www.netmasterclass.net/site/lib.php' (article Filtering DLSW) says that one should use non canonical format. The link 'http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ib

access-lists [7:63520]

Hello all. I'am stumped on an access-list that i need to create. What i did was i set up two routers using rip and put loopbacks on one of them and advertised them in rip. I then attempted to build an access-list allowing just these networks to pass into the other router. The router with the loopba

RE: applying PIX access-lists [7:61033]

, January 14, 2003 6:59 PM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list

Re: applying PIX access-lists [7:61033]

plying PIX access-lists [7:61033]

RE: applying PIX access-lists [7:61033]

ct: Re: applying PIX access-lists [7:61033] The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was "hit" as far as your suggestion goes, it may not work as well if you have over 10

Re: applying PIX access-lists [7:61033]

The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was "hit" as far as your suggestion goes, it may not work as well if you have over 100 access-lists and you need to put one in le

RE: applying PIX access-lists [7:61033]

ere should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods d

RE: applying PIX access-lists [7:61033]

able in 6.2 that might be useful, http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech _note09186a00800d641d.shtml Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 11:59 AM To: [EMAIL PROTECTED] Subject: applying

applying PIX access-lists [7:61033]

I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group

Re: Re: access lists + static routing [7:58543]

t begin a post to the mail list with an URL. > Type a line of text first, then paste the URL. The filters are designed to > look for an URL at the top of the post, to filter out spam. > > BJ > > > ---Original Message--- > From: Charlie > Sent: 12/04/02 10:24 AM &g

Re: Re: access lists + static routing [7:58543]

PROTECTED] Subject: Re: access lists + static routing [7:58543] > n_guide_chapter09186a00800d9816.html This would be helpfull. I found it by searching the key words "configurring access lists". ""Geert Loonbeek"" wrote in message [EMAIL PROTECTED]">news:[

Re: access lists + static routing [7:58543]

n_guide_chapter09186a00800d9816.html This would be helpfull. I found it by searching the key words "configurring access lists". ""Geert Loonbeek"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hello > I'm looking for a go

access lists + static routing [7:58543]

Hello I'm looking for a good and free of charge study guide on access lists/ static routing. I'd like to take the 640-607 cisco CCNA exam. Is there anybody who has some info on these topics. Thanks Geert Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i

Re: Clearing access lists counters [7:57241]

Worked for me on 12.2(12a): clear ip access-list counters - Original Message - From: "John Tafasi" To: Sent: Tuesday, November 12, 2002 5:22 PM Subject: Re: Clearing access lists counters [7:57241] > I tried this also and it did not work. He is what I did: > >

Re: Clearing access lists counters [7:57241]

I tried this also and it did not work. He is what I did: R5-2503#clear ip access-list count R5-2503#show access-lists abc Extended IP access list abc Dynamic test permit ip any any permit ip host 10.10.110.16 any (38 matches) (time left 134) permit tcp any host 10.10.110.3 eq

Re: Clearing access lists counters [7:57241]

although that should have worked, try clear ip access-list counter as well I just tested this on a 3662 and both commands worked (IOS 12.1) Tim ""John Tafasi"" wrote in message news:20022125.VAA01591@;groupstudy.com... > Can some one tell me how to clear access-list counters? I tried to

Re: Clearing access lists counters [7:57241]

restart the router. -- Curious MCSE, CCNP ""John Tafasi"" wrote in message news:20022125.VAA01591@;groupstudy.com... > Can some one tell me how to clear access-list counters? I tried to use the > command "clear access-list counters" but it did not work. Please see the > output of the show c

Clearing access lists counters [7:57241]

Can some one tell me how to clear access-list counters? I tried to use the command "clear access-list counters" but it did not work. Please see the output of the show command below. R5-2503#show access-lis abc Extended IP access list abc Dynamic test permit ip any any permit ip any any (

Re: Messing up Access Lists [7:54268]

I have 5 subnets: 172.29.10.x/24 in the U.S. 192.168.100.x/24 in the U.S. I would like to eliminate the 192.x.x.x subnet as it is mostly redundant, machines multihomed. 172.29.20.x/24 in Mexico 172.29.30.x/24 in Europe 172.29.40.x/24 in Mexico Europe office has a 1720 router and E1 connection.

Re: Messing up Access Lists [7:54268]

address is not the address of the loopback.) > > > > To use a basketball analogy - a direct pass won't work because > > a blocker is > > in the way. Instead use a bounce pass. > > > > > -Original Message- > > > From: CTM CTM [mailto:[E

RE: Messing up Access Lists [7:54268]

p StaticNAT permit 10 > match ip address StaticNAT > set ip next-hop 2.2.2.2 > (Note the address is not the address of the loopback.) > > To use a basketball analogy - a direct pass won't work because > a blocker is > in the way. Instead use a bounce pass. > > > -O

RE: Messing up Access Lists [7:54268]

om: CTM CTM [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 2:54 PM > To: [EMAIL PROTECTED] > Subject: Messing up Access Lists [7:54268] > > > I've been trying to optimize communications between two > distant routers. So > far I've managed to lock mys

Re: Messing up Access Lists [7:54268]

keep in mind that > where you place the access list matters (ie if it's an "in" or "out" > access group). > > -Nate > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 12:54 PM > T

RE: Messing up Access Lists [7:54268]

nal Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, September 26, 2002 12:54 PM To: [EMAIL PROTECTED] Subject: Messing up Access Lists [7:54268] I've been trying to optimize communications between two distant routers. So far I've managed to lock myself out of th

Messing up Access Lists [7:54268]

y the same devices multihomed as 192.168.100.0/24. I realize my NAT is messed up and I'm wrapping my head around the literature pulled from Cisco (led to by links provided by you generous folks). Looks like I also need to look in depth at access lists. I'm taking baby steps but am sl

Re: "expanded range" access lists? [7:53859]

""Priscilla Oppenheimer"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Man, I certainly wouldln't want to troubleshoot a problem on a router with > 800 extended IP access lists! I would suggest a redesign. :-) CL: certainly goes a long

Re: "expanded range" access lists? [7:53859]

Man, I certainly wouldln't want to troubleshoot a problem on a router with 800 extended IP access lists! I would suggest a redesign. :-) Priscilla Chuck's Long Road wrote: > > ""B.J. Wilson"" wrote in message > [EMAIL PROTECTED]">n

Re: "expanded range" access lists? [7:53859]

""B.J. Wilson"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hey Spongebob fans - > > I've noticed a couple of "new" access-list ranges (1300-1999 and CL: works precisely the same way as access-lists 1-99 > 2000-2

"expanded range" access lists? [7:53859]

Hey Spongebob fans - I've noticed a couple of "new" access-list ranges (1300-1999 and 2000-2699), which may not be all that "new," but they're ones I've never encountered before. After a cursory search on CCO, I can't find any documentation that really explains what they really do. Anyone h

Re: How many committed access rate policies with access-lists [7:45840]

Once is a project, I was using CAR on a 7200 with 5 Fast etherner sub-interfaces. I was using various access-lists (all of them were Extended). CAR was limiting bith Recieving and Transmitting (SEND) traffic. With No NPEs or additional modelus installed, the CPU time went to 40-50% in peek times

How many committed access rate policies with access-lists can [7:45655]

Hi all, My questions are regarding to CAR aka rate-limit. I have use rate-limit with access-list but I never wonder how many policies can I create with access-lists. How many committed access rate policies with access-lists can be applied to an interface? Documentations says 100 policies (can

RE: Help with extended access lists [7:40904]

Paul, You need to understand the wildcard format for access-lists. The best way to do this is to convert your ip addresses to binary. The beginning range address is 192.168.1.10 The ending range address is 192.168.1.15 We can quickly see that the first three octets are the same, so lets

Re: Help with extended access lists [7:40904]

Thangavel What a great method - Thank you Richard Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40907&t=40904 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nond

Re: Help with extended access lists [7:40904]

cc: Sent by: Fax to: nobody@groupsSubject: Help with extended access lists [7:40904]

Help with extended access lists [7:40904]

Hello wondered if anyone can explain. I have extended access lists working fine. I have a few blocks of ip address I want to add to list and they are not all consequtive. What I want to do is use the minimum entry to cover each block. i.e Say I had several like this 192.168.1.10 to 15 etc etc

RE: Access Lists for 3500 Switch [7:40350]

> Can someone tell me the command sequence on a Cisco 3500 > switch to set up an ACL? It's just like a router: ACCESS-LIST 1 permit x.x.x.x Then you can apply it to your line interface: line vty 0 15 access-class 1 in Message Posted at: http://www.groupstudy.com/f

Access Lists for 3500 Switch [7:40350]

Can someone tell me the command sequence on a Cisco 3500 switch to set up an ACL? Thanks all. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40350&t=40350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/

Re: Access Lists are a bit mystifying [7:36164]

access-group secure2 in exit wr Thanx again, Anil Gupte - Original Message - From: "Tom Petzold" To: "Anil Gupte" ; Sent: Friday, February 22, 2002 11:35 AM Subject: RE: Access Lists are a bit mystifying [7:36164] > Remember the model OSI model. IP can hav

Re: simple access-lists question [7:36240]

Not enought customers have asked for that feature yet. :) Was RFC 1149 the precursor to wireless? ""John Neiberger"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hey, are you ever going to upgrade to RFC 2549 compliance? If you > haven't already, you're behind the times by

RE: simple access-lists question [7:36240]

~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: NetEng [mailto:[EMAIL PROTECTED]] Sent: Friday, February 22, 2002 12:39 PM To: [EMAIL PROTECTED] Subject: simple access-lists question [7:36240] Why is this simple task beating me

Re: simple access-lists question [7:36240]

Hey, are you ever going to upgrade to RFC 2549 compliance? If you haven't already, you're behind the times by about three years! :-) John >>> "Steven A. Ridder" 2/22/02 11:43:33 AM >>> I believe you need something like access-list 101 permit tcp any any eq www you have something that permit

Re: simple access-lists question [7:36240]

I believe you need something like access-list 101 permit tcp any any eq www you have something that permits IP protocol numbers I think. Like 6 is tcp, 17 is udp, 9 is igrp, etc.. etc... -- RFC 1149 Compliant. ""NetEng"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Why

simple access-lists question [7:36240]

Why is this simple task beating me? I have a router with 2eth. that separates my lab from the corporate network. I would like web/ftp/telnet access from the lab to the world and back. I created an access list and applied it to my lab's ethernet int. This is the list. Am I missing something? acce

RE: Access Lists are a bit mystifying [7:36164]

Thursday, February 21, 2002 7:59 PM > To: [EMAIL PROTECTED] > Subject: Access Lists are a bit mystifying [7:36164] > > > Hi All! > > I watch this list occassionally (when I have time). This is my first post > to this list, so be kind. :p) > > In the access list below: >

Re: Access Lists are a bit mystifying [7:36164]

gt; > Thanx for the reply (and the kid gloves). :-) > Anil Gupte > > - Original Message - > From: "Scott Nawalaniec" > To: "'Anil Gupte'" ; > Sent: Thursday, February 21, 2002 10:17 PM > Subject: RE: Access Lists are a bit mystifying [7:36164] > >

Re: Access Lists are a bit mystifying [7:36164]

21, 2002 10:17 PM Subject: RE: Access Lists are a bit mystifying [7:36164] > Hi Anil, > > Sometimes its scaring posting to this group. =) > > To answer your question, > if you don't the permit IP any any command, there is an implicit deny rule > at the end of an ac

RE: Access Lists are a bit mystifying [7:36164]

deny statements are dropping netbios port 139 and something that uses port . Hope this helps. Scott -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 21, 2002 7:59 PM To: [EMAIL PROTECTED] Subject: Access Lists are a bit mystifying [7:36164] Hi Al

Access Lists are a bit mystifying [7:36164]

Hi All! I watch this list occassionally (when I have time). This is my first post to this list, so be kind. :p) In the access list below: ** conf t int ethernet0/0 no ip access-list extended secure2 ip access-list extended secure2 deny tcp any any eq deny tcp any any eq 139 per

RE: Access Lists [7:34023]

Thats one of my favorites as well. Its well written and detailed, and most importantly concise. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of kevhed Sent: Friday, February 01, 2002 10:54 AM To: [EMAIL PROTECTED] Subject: Re: Access Lists [7:34023

Re: Access Lists [7:34023]

Tim, IMHO, you can't go wrong with "Cisco Access Lists" by Gil Held & Kent Hundley isbn 0072123354. This is one of the few books I keep close by. Kevin "Fermanis Tim G Contr USAFE CSS/SCOG" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

Re: Access Lists [7:34023]

Tim, I found that most books are not nearly as good as the Cisco website. On CCO, I have so far always been able to find much more info than any book can give me, including configuration examples and various scenarios. Takes a little more effort, but I am almost convinced that you can much more d

Re: Access Lists [7:34023]

Cisco IOS Access Lists by Jeff Sedayao Published by O'Reilly ISBN 1-56592-385-5 HTH Dom Stocqueler "Fermanis Tim G C

Access Lists [7:34023]

I'm looking to buy a book on Access lists. Any recommendations? TIA Tim Fermanis GCCS System Administrator Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34023&t=34023 -- FAQ, list archives, and subscripti

Extended ipx access lists [7:31720]

with the syntax for the access-lists asit's driving me mad. The network is addressed in the wan as follows: r1 serial 0.0.1 = 110.1.1.1 r2 serial 0/0 = 110.2.2.2 r3 serial 0/0 = 110.3.3.3 r4 serial 0/0 = 110.4.4.4 I have tried the following acls but without success: access-list 905 permi

RE: Access Lists [7:28927]

EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.

RE: Access Lists [7:28927]

110 deny ip any any -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of J. Johnson Sent: Wednesday, December 12, 2001 1:24 PM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network

RE: Access Lists [7:28927]

001 2:24 PM > To: [EMAIL PROTECTED] > Subject: Access Lists [7:28927] > > > We have a Cisco 5300 Dial-up. We want to allow everyone to get to our > network when they dial in. We do not want everyone to get on > the internet > when they dial-in. This is what my acces

Re: Access Lists [7:28927]

You don't give much info. What addresses are you handing out via your pool? Where are you applying the acess-list? When I had done something similiar long time ago, employees and faculty total access, customers limited. Set up two access-lists and access lists were applied to use

Re: Access Lists [7:28927]

: Wednesday, December 12, 2001 11:24 AM Subject: Access Lists [7:28927] > We have a Cisco 5300 Dial-up. We want to allow everyone to get to our > network when they dial in. We do not want everyone to get on the internet > when they dial-in. This is what my access list look like > >

RE: Access Lists [7:28927]

001 2:24 PM > To: [EMAIL PROTECTED] > Subject: Access Lists [7:28927] > > > We have a Cisco 5300 Dial-up. We want to allow everyone to get to our > network when they dial in. We do not want everyone to get on > the internet > when they dial-in. This is what my acces

RE: Access Lists [7:28927]

Jill, How did you apply the list? To what interface? In which direction? Timothy Estes NA,DA -Original Message- From: J. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 12, 2001 2:24 PM To: [EMAIL PROTECTED] Subject: Access Lists [7:28927] We have a Cisco 5300 Dial-up

Re: Access Lists [7:28927]

specifying your internal subnets. Not to insult, but dont' forget to apply it to an interface. >From: "J. Johnson" >Reply-To: "J. Johnson" >To: [EMAIL PROTECTED] >Subject: Access Lists [7:28927] >Date: Wed, 12 Dec 2001 14:24:16 -0500 > >We have a Cisco 5

Access Lists [7:28927]

We have a Cisco 5300 Dial-up. We want to allow everyone to get to our network when they dial in. We do not want everyone to get on the internet when they dial-in. This is what my access list look like access-list 110 permit ip 165.5.0.0 0.0.255.255 any access-list 110 deny ip any any Everyo

RE: Access Lists [7:28927]

Are your people dialing in having to go through your company proxy server to get to the internet? If so, they're probably talking with the proxy server, which no doubt would have an internal address and be let through by that access list. Which interface are you applying this access-list? In wh

Re: PIX conduit & access lists [7:26684]

: Steve Alston To: Sent: Thursday, November 29, 2001 3:59 PM Subject: Re: PIX conduit & access lists [7:26684] > Thanks again Allen, > Does that mean the responses to my outbound requests are allowed in by > default? For example, my request for a web page is allowed through t

Re: PIX conduit & access lists [7:26684]

rom: Steve Alston > To: > Sent: Wednesday, November 28, 2001 4:08 PM > Subject: Re: PIX conduit & access lists [7:26684] > > > > Patrick & Allen, > > Thanks for the responses -- helps loads. I'm still slightly confused. > > > > I did a clear condui

Re: PIX conduit & access lists [7:26684]

mp any any echo-reply access-group 10 interface outside (apply one to interface inside for outbound) Allen - Original Message - From: Steve Alston To: Sent: Wednesday, November 28, 2001 4:08 PM Subject: Re: PIX conduit & access lists [7:26684] > Patrick & Allen, >

Re: PIX conduit & access lists [7:26684]

ot, but a firewall always assumes > a > > > deny all at the end of the access-list for inbound. Outbound is > different > > > since it allows all by default. > > > > > > > Remeber this: Higher security level to lower security level, implicitly > > allowed. Lo

Re: PIX conduit & access lists [7:26684]

ay. Thanks for pointing that out though. - Original Message - From: Patrick W. Bass To: Sent: Sunday, November 25, 2001 10:14 PM Subject: Re: PIX conduit & access lists [7:26684] > ""Allen May"" wrote in message > news:[EMAIL PROTECTED]... > > I

Re: PIX conduit & access lists [7:26684]

this: Higher security level to lower security level, implicitly allowed. Lower security level to higher security level, implicitly denied. Otherwise it gets tricky once you start messing with multipile DMZs. > Also, access-lists are the way to go since conduits will be phased out in > th

Re: PIX conduit & access lists [7:26684]

I believe so. At 10:25 AM 11/19/01 -0500, Steve Alston wrote: >Carroll, > Thanks for the reply. I'm using conduits now, but will switch to access >lists in the future. (I'd like to fully understand the configuration I >inherited before I start making changes) Are i

Re: PIX conduit & access lists [7:26684]

Carroll, Thanks for the reply. I'm using conduits now, but will switch to access lists in the future. (I'd like to fully understand the configuration I inherited before I start making changes) Are implicit denys inserted behind each conduit as well? ""Carroll Kong

Re: PIX conduit & access lists [7:26684]

Implicit denys behind every access-list are inserted. Are you mixing conduits and access-lists? You really should not. Use ALL conduits or ALL access-lists. If both are used, conduits take priority and override your access-lists. Access-lists are first match, conduits are any match. At

PIX conduit & access lists [7:26684]

Does the PIX 506 require an explicit deny statement after setting up a permit conduit or access list. I appear to be receiving more traffic (e.g. NTP) than my conduit statements allow. Thanks much, Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26684&t=26684 -

Re: Bridging and Access-lists [7:24791]

; > 1) Change some of my IP addresses so I can place devices on each side of the > router on different subnets (seen from the router's view), and then set it > up as routing instead of switching. > > 2) Add all the MAC addresses to the groups they belong, and then use > access-l

RE: Bridging and Access-lists [7:24791]

If you are bridging you can only use a layer 2 access list... Essentially you'll only be able to block traffic based on MAC addressing... I think the layer2 access lists start at 700... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ole Drews J

Access-lists: Time-based and 700's [7:24821]

I am not very lucky with this. It seems like I have to use a 700's access-list to filter bridged interfaces on their mac address, but that throws me into a new problem. As far as I can see, the "time-range" option does not work on 700's access-lists - so I am back to squarr

RE: Bridging and Access-lists [7:24791]

ad of switching. 2) Add all the MAC addresses to the groups they belong, and then use access-lists 700-799 (mac addresses). Both solutions sucks, so I am still looking for an easier 3rd solution. Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I

Re: Bridging and Access-lists [7:24791]

iginal Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 31, 2001 10:57 AM > To: [EMAIL PROTECTED] > Subject: RE: Bridging and Access-lists [7:24791] > > > Ole, > > My thinking on this ... > > When your ethernet frame (L2) hi

RE: Bridging and Access-lists [7:24791]

: [EMAIL PROTECTED] Subject: RE: Bridging and Access-lists [7:24791] Ole, My thinking on this ... When your ethernet frame (L2) hits the e1 interface the router will bridge (L2) this to the e0 interface and not route (L3) it. Therefore the IP access-list (L3) will not be used. I did some work a couple

Bridging and Access-lists [7:24791]

way to get this solution to work. I have placed a Cisco 2514 on a segment so I can create access-lists to filter traffic. I want my segment to have the same IP addresses and be on the same network, so I have assigned the 2514 as a bridge where both ethernet interfaces has the same IP address, and

  1   2   3   >