utilization on access lists? [7:75002]
Priscilla Oppenheimer wrote:
Yes, that's true indeed that access lists don't cause process switching
anymore, so wouldn't show up in IP Input.
Two exceptions that I failed to mention are logging and the side effect
of a deny. By default, a deny causes
Elijah Savage wrote:
I have actually been told by TAC before IP Input, for what it is worth
:)
Not much, anymore :-). It's been a *long* time (IOS 10.x?) since access
lists were process switched, and thus would show up as extra time spent
in 'IP Input'.
Regards
M.C. van den Bovenkamp wrote:
Elijah Savage wrote:
I have actually been told by TAC before IP Input, for what it
is worth
:)
Not much, anymore :-). It's been a *long* time (IOS 10.x?)
since access
lists were process switched, and thus would show up as extra
time spent
in 'IP Input
Priscilla Oppenheimer wrote:
Yes, that's true indeed that access lists don't cause process switching
anymore, so wouldn't show up in IP Input.
Two exceptions that I failed to mention are logging and the side effect
of a deny. By default, a deny causes the generation of an ICMP admin
At 10:08 PM + 9/8/03, Priscilla Oppenheimer wrote:
Maybe a dumb question, but I know you guys can help me. :-)
How would I know if a router is using excessive CPU on IP access lists?
What am I looking for when I do a show processes cpu?
Thanks,
Priscilla
This isn't a complete answer
Maybe a dumb question, but I know you guys can help me. :-)
How would I know if a router is using excessive CPU on IP access lists?
What am I looking for when I do a show processes cpu?
Thanks,
Priscilla
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75002t=75002
Priscilla Oppenheimer wrote:
Maybe a dumb question, but I know you guys can help me. :-)
How would I know if a router is using excessive CPU on IP access lists?
What am I looking for when I do a show processes cpu?
You can't determine the portion due to ACL processing from any single
What am I looking for when I do a show processes cpu?
I believe it's IP Input.
Marko.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=75009t=75002
--
**Please support GroupStudy by purchasing from the GroupStudy Store:
Aren't interfaces with access-lists process switched?
So I would imagine it would be IP Input but this is rather vague as
well.
Correct me if im wrong.
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 9 September 2003 8:09 AM
To: [EMAIL PROTECTED
I have actually been told by TAC before IP Input, for what it is worth
:)
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
Sent: Monday, September 08, 2003 6:09 PM
To: [EMAIL PROTECTED]
Subject: router CPU utilization on access lists? [7:75002]
Maybe a dumb
, print
or rely on this email, and should immediately delete it from your computer.
-Original Message-
From: Coy, Jason (Jason) [mailto:[EMAIL PROTECTED]
Sent: Saturday, July 19, 2003 9:58 PM
To: [EMAIL PROTECTED]
Subject: class-map, access-lists, access-groups, and policy maps [7:72643]
I
I have been looking for a simple explanation as to how the three relate
and their dependencies. Example configuration from a show run:
class-map match-all VLAN200
Match access-group 103
Does the above subject all VLAN200 traffic to access group 103?
Is that access group associated with
Hi Priscilla,
Quoting Multilayer Switching Companion Guide on p. 340...
MLS creates flows based on access lists configured on the MLS-RP...the
MLS-SE handles standard and extended access list PERMIT traffic...Route
topology changes and the addition or modification of access lists are
reflected
it
and an MLS flow never get created for that L4 based connection.
Hope this helps.
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
Sent: 30 March 2003 00:10
To: [EMAIL PROTECTED]
Subject: MLS and access lists [7:66464]
With Multilayer Switching (MLS), how does
. (Great to hear from Kennedy, author of one of the best Cisco Press
books, Cisco LAN Switching. It's right up there with Doyle's books.)
The books say that MLSP flushes the MLS cache when access lists are
configured or changed, or the routing table changes, but they aren't too
clear that on bootup
, not
the switch, according to descriptions of MLS.
The switch definitely knows, because you see different output with the show
mls command, but how does it know? Does the router pass it to the switch in
MLSP messages, or is there something more obvious that I'm missing.
With some access lists
Hi Priscilla,
Quoting Multilayer Switching Companion Guide on p. 340...
MLS creates flows based on access lists configured on the MLS-RP...the
MLS-SE handles standard and extended access list PERMIT traffic...Route
topology changes and the addition or modification of access lists are
reflected
different output
with the show mls command, but how does it know? Does the
router pass it to the switch in MLSP messages, or is there
something more obvious that I'm missing.
With some access lists, an enable packet would never come back
from the router. Is that what triggers the switch to use
I guess this would depend on the media / interface that you are applying the
ACL to? EG for TR, you would use non-canonical, and if applying the address
to ethernet interface canonical.
Presumably, inbound packets from TR pass through any inbound ACL's, then
get converted to canonical and passed
Today I read two opposite posts about the MAC address format on MAC
access-list.
The article on 'http://www.netmasterclass.net/site/lib.php' (article
Filtering DLSW) says that one should use non canonical format.
The link
Hello all. I'am stumped on an access-list that i need to create. What i did
was i set up two routers using rip and put loopbacks on one of them and
advertised them in rip. I then attempted to build an access-list allowing
just these networks to pass into the other router. The router with the
, January 14, 2003 6:59 PM
To: [EMAIL PROTECTED]
Subject: applying PIX access-lists [7:61033]
I am new to PIX and have a simple question. What methods do you (PIX Admins)
use to change and apply access-lists. Unlike IOS access-lists it seems you
can remove statements from the middle of the list
I am new to PIX and have a simple question. What methods do you (PIX Admins)
use to change and apply access-lists. Unlike IOS access-lists it seems you
can remove statements from the middle of the list. When you do this does the
change occur immediately or do you have to reapply the access-group
be useful,
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech
_note09186a00800d641d.shtml
Kris.
-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 14, 2003 11:59 AM
To: [EMAIL PROTECTED]
Subject: applying PIX access-lists [7:61033
already be an implicit deny ip any any.. ?
Em
-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 15 January 2003 3:29 AM
To: [EMAIL PROTECTED]
Subject: applying PIX access-lists [7:61033]
I am new to PIX and have a simple question. What methods do you (PIX
The deny statement is there implicitly but if you put it in as well when you
do a show access-list command you will see the staitisticsof how many times
it was hit
as far as your suggestion goes, it may not work as well if you have over 100
access-lists and you need to put one in lets say 8th
access-lists [7:61033]
The deny statement is there implicitly but if you put it in as well when you
do a show access-list command you will see the staitisticsof how many times
it was hit
as far as your suggestion goes, it may not work as well if you have over 100
access-lists and you need
access-lists [7:61033]
udy.com
n_guide_chapter09186a00800d9816.html
This would be helpfull. I found it by searching the key words configurring
access lists.
Geert Loonbeek wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hello
I'm looking for a good and free of charge study guide on access lists/
PROTECTED]
Subject: Re: access lists + static routing [7:58543]
n_guide_chapter09186a00800d9816.html
This would be helpfull. I found it by searching the key words configurring
access lists.
Geert Loonbeek wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hello
I'm
ail list with an URL.
Type a line of text first, then paste the URL. The filters are designed
to
look for an URL at the top of the post, to filter out spam.
BJ
---Original Message---
From: Charlie
Sent: 12/04/02 10:24 AM
To: [EMAIL PROTECTED]
Subject: Re: access lists + static routing
I tried this also and it did not work. He is what I did:
R5-2503#clear ip access-list count
R5-2503#show access-lists abc
Extended IP access list abc
Dynamic test permit ip any any
permit ip host 10.10.110.16 any (38 matches) (time left 134)
permit tcp any host 10.10.110.3 eq
Worked for me on 12.2(12a):
clear ip access-list counters
- Original Message -
From: John Tafasi
To:
Sent: Tuesday, November 12, 2002 5:22 PM
Subject: Re: Clearing access lists counters [7:57241]
I tried this also and it did not work. He is what I did:
R5-2503#clear ip access
Can some one tell me how to clear access-list counters? I tried to use the
command clear access-list counters but it did not work. Please see the
output of the show command below.
R5-2503#show access-lis abc
Extended IP access list abc
Dynamic test permit ip any any
permit ip any any
restart the router.
--
Curious
MCSE, CCNP
John Tafasi wrote in message
news:20022125.VAA01591;groupstudy.com...
Can some one tell me how to clear access-list counters? I tried to use the
command clear access-list counters but it did not work. Please see the
output of the show command
although that should have worked, try clear ip access-list counter as
well I just tested this on a 3662 and both commands worked (IOS 12.1)
Tim
John Tafasi wrote in message
news:20022125.VAA01591;groupstudy.com...
Can some one tell me how to clear access-list counters? I tried to use
I have 5 subnets:
172.29.10.x/24 in the U.S.
192.168.100.x/24 in the U.S.
I would like to eliminate the 192.x.x.x subnet as it is mostly redundant,
machines multihomed.
172.29.20.x/24 in Mexico
172.29.30.x/24 in Europe
172.29.40.x/24 in Mexico
Europe office has a 1720 router and E1 connection.
devices multihomed as 192.168.100.0/24.
I realize my NAT is messed up and I'm wrapping my head around the literature
pulled from Cisco (led to by links provided by you generous folks).
Looks like I also need to look in depth at access lists. I'm taking baby
steps but am slowly making progress
: Thursday, September 26, 2002 12:54 PM
To: [EMAIL PROTECTED]
Subject: Messing up Access Lists [7:54268]
I've been trying to optimize communications between two distant routers.
So
far I've managed to lock myself out of the far router three times, folks
over there are getting weary of my mistakes
-Nate
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 12:54 PM
To: [EMAIL PROTECTED]
Subject: Messing up Access Lists [7:54268]
I've been trying to optimize communications between two distant routers.
So
far I've managed to loc
PROTECTED]]
Sent: Thursday, September 26, 2002 2:54 PM
To: [EMAIL PROTECTED]
Subject: Messing up Access Lists [7:54268]
I've been trying to optimize communications between two
distant routers. So
far I've managed to lock myself out of the far router three
times, folks
over there are getting
a blocker is
in the way. Instead use a bounce pass.
-Original Message-
From: CTM CTM [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 2:54 PM
To: [EMAIL PROTECTED]
Subject: Messing up Access Lists [7:54268]
I've been trying to optimize communications between
nce pass.
-Original Message-
From: CTM CTM [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 26, 2002 2:54 PM
To: [EMAIL PROTECTED]
Subject: Messing up Access Lists [7:54268]
I've been trying to optimize communications between two
distant routers. So
Hey Spongebob fans -
I've noticed a couple of new access-list ranges (1300-1999 and
2000-2699), which may not be all that new, but they're ones I've never
encountered before. After a cursory search on CCO, I can't find any
documentation that really explains what they really do. Anyone have
B.J. Wilson wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hey Spongebob fans -
I've noticed a couple of new access-list ranges (1300-1999 and
CL: works precisely the same way as access-lists 1-99
2000-2699), which may not be all that new, but they're ones I'
Man, I certainly wouldln't want to troubleshoot a problem on a router with
800 extended IP access lists! I would suggest a redesign. :-)
Priscilla
Chuck's Long Road wrote:
B.J. Wilson wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hey Spongebob fans -
I've
Priscilla Oppenheimer wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Man, I certainly wouldln't want to troubleshoot a problem on a router with
800 extended IP access lists! I would suggest a redesign. :-)
CL: certainly goes a long way towards explaining the attitudes
Once is a project, I was using CAR on a 7200 with 5 Fast etherner
sub-interfaces. I was using various access-lists (all of them were
Extended). CAR was limiting bith Recieving and Transmitting (SEND) traffic.
With No NPEs or additional modelus installed, the CPU time went to 40-50% in
peek times
Hi all,
My questions are regarding to CAR aka rate-limit. I have use rate-limit with
access-list but I never wonder how many policies can I create with
access-lists.
How many committed access rate policies with access-lists can be applied to
an interface?
Documentations says 100 policies (can
Hello wondered if anyone can explain.
I have extended access lists working fine.
I have a few blocks of ip address I want to add to list and they are not all
consequtive. What I want to do is use the minimum entry to cover each block.
i.e
Say I had several like this 192.168.1.10 to 15 etc etc
:
Sent by: Fax
to:
nobody@groupsSubject: Help with extended
access lists [7:40904]
tudy.com
Thangavel
What a great method - Thank you
Richard
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40907t=40904
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and
Paul,
You need to understand the wildcard format for access-lists. The best way to
do this is to convert your ip addresses to binary.
The beginning range address is 192.168.1.10
The ending range address is 192.168.1.15
We can quickly see that the first three octets are the same, so lets
Can someone tell me the command sequence on a Cisco 3500 switch to set up an
ACL?
Thanks all.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40350t=40350
--
FAQ, list archives, and subscription info:
Can someone tell me the command sequence on a Cisco 3500
switch to set up an ACL?
It's just like a router:
ACCESS-LIST 1 permit x.x.x.x
Then you can apply it to your line interface:
line vty 0 15
access-class 1 in
Message Posted at:
access-group secure2 in
exit
wr
Thanx again,
Anil Gupte
- Original Message -
From: Tom Petzold
To: Anil Gupte ;
Sent: Friday, February 22, 2002 11:35 AM
Subject: RE: Access Lists are a bit mystifying [7:36164]
Remember the model OSI model. IP can have multiple higher level
the access-list.
The other two deny statements are dropping netbios port 139 and something
that uses port .
Hope this helps.
Scott
-Original Message-
From: Anil Gupte [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 21, 2002 7:59 PM
To: [EMAIL PROTECTED]
Subject: Access Lists
Why is this simple task beating me?
I have a router with 2eth. that separates my lab from the corporate network.
I would like web/ftp/telnet access from the lab to the world and back. I
created an access list and applied it to my lab's ethernet int. This is the
list. Am I missing something?
I believe you need something like
access-list 101 permit tcp any any eq www
you have something that permits IP protocol numbers I think. Like 6 is
tcp, 17 is udp, 9 is igrp, etc..
etc...
--
RFC 1149 Compliant.
NetEng wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Why is
Hey, are you ever going to upgrade to RFC 2549 compliance? If you
haven't already, you're behind the times by about three years! :-)
John
Steven A. Ridder 2/22/02 11:43:33 AM
I believe you need something like
access-list 101 permit tcp any any eq www
you have something that permits IP
~~~
NEED A JOB ???
http://www.oledrews.com/job
~~~
-Original Message-
From: NetEng [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 12:39 PM
To: [EMAIL PROTECTED]
Subject: simple access-lists question [7:36240]
Why is this simple task beating me
Not enought customers have asked for that feature yet. :) Was RFC 1149 the
precursor to wireless?
John Neiberger wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Hey, are you ever going to upgrade to RFC 2549 compliance? If you
haven't already, you're behind the times by
Hi All!
I watch this list occassionally (when I have time). This is my first post
to this list, so be kind. :p)
In the access list below:
**
conf t
int ethernet0/0
no ip access-list extended secure2
ip access-list extended secure2
deny tcp any any eq
deny tcp any any eq 139
statements are dropping netbios port 139 and something
that uses port .
Hope this helps.
Scott
-Original Message-
From: Anil Gupte [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 21, 2002 7:59 PM
To: [EMAIL PROTECTED]
Subject: Access Lists are a bit mystifying [7:36164]
Hi All!
I
: Access Lists are a bit mystifying [7:36164]
Hi Anil,
Sometimes its scaring posting to this group. =)
To answer your question,
if you don't the permit IP any any command, there is an implicit deny rule
at the end of an access-list, which will drop all traffic that you have
not
allowed through
Message -
From: Scott Nawalaniec
To: 'Anil Gupte' ;
Sent: Thursday, February 21, 2002 10:17 PM
Subject: RE: Access Lists are a bit mystifying [7:36164]
Hi Anil,
Sometimes its scaring posting to this group. =)
To answer your question,
if you don't the permit IP any any
I'm looking to buy a book on Access lists. Any recommendations?
TIA
Tim Fermanis
GCCS System Administrator
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34023t=34023
--
FAQ, list archives, and subscription info: http
Cisco IOS Access Lists by Jeff Sedayao
Published by O'Reilly
ISBN 1-56592-385-5
HTH
Dom Stocqueler
Fermanis Tim
G
Contr USAFE
Tim,
I found that most books are not nearly as good as the Cisco website. On CCO,
I have so far always been able to find much more info than any book can give
me, including configuration examples and various scenarios. Takes a little
more effort, but I am almost convinced that you can much more
Tim,
IMHO, you can't go wrong with Cisco Access Lists by Gil Held Kent
Hundley isbn 0072123354. This is one of the few books I keep close by.
Kevin
Fermanis Tim G Contr USAFE CSS/SCOG wrote
in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I'm looking to buy a book on Acce
Thats one of my favorites as well. Its well written and detailed, and most
importantly concise.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
kevhed
Sent: Friday, February 01, 2002 10:54 AM
To: [EMAIL PROTECTED]
Subject: Re: Access Lists [7:34023
with the syntax for the access-lists asit's driving me
mad.
The network is addressed in the wan as follows:
r1 serial 0.0.1 = 110.1.1.1
r2 serial 0/0 = 110.2.2.2
r3 serial 0/0 = 110.3.3.3
r4 serial 0/0 = 110.4.4.4
I have tried the following acls but without success:
access-list 905 permit any
Are your people dialing in having to go through your company proxy server to
get to the internet? If so, they're probably talking with the proxy server,
which no doubt would have an internal address and be let through by that
access list.
Which interface are you applying this access-list? In
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
network when they dial in. We do not want everyone to get on the internet
when they dial-in. This is what my access list look like
access-list 110 permit ip 165.5.0.0 0.0.255.255 any
access-list 110 deny ip any any
specifying
your internal subnets. Not to insult, but dont' forget to apply it to an
interface.
From: J. Johnson
Reply-To: J. Johnson
To: [EMAIL PROTECTED]
Subject: Access Lists [7:28927]
Date: Wed, 12 Dec 2001 14:24:16 -0500
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
Jill,
How did you apply the list? To what interface? In which direction?
Timothy Estes NA,DA
-Original Message-
From: J. Johnson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 12, 2001 2:24 PM
To: [EMAIL PROTECTED]
Subject: Access Lists [7:28927]
We have a Cisco 5300 Dial-up
]
Subject: Access Lists [7:28927]
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
network when they dial in. We do not want everyone to get on
the internet
when they dial-in. This is what my access list look like
access-list 110 permit ip 165.5.0.0 0.0.255.255 any
: Wednesday, December 12, 2001 11:24 AM
Subject: Access Lists [7:28927]
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
network when they dial in. We do not want everyone to get on the internet
when they dial-in. This is what my access list look like
access-list 110 permit ip
You don't give much info. What addresses are you handing out via your
pool? Where are you applying the acess-list?
When I had done something similiar long time ago, employees and
faculty total access, customers limited. Set up two access-lists and
access lists were applied to user via
]
Subject: Access Lists [7:28927]
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
network when they dial in. We do not want everyone to get on
the internet
when they dial-in. This is what my access list look like
access-list 110 permit ip 165.5.0.0 0.0.255.255 any
110 deny ip any any
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
J. Johnson
Sent: Wednesday, December 12, 2001 1:24 PM
To: [EMAIL PROTECTED]
Subject: Access Lists [7:28927]
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
network
]
Subject: Access Lists [7:28927]
We have a Cisco 5300 Dial-up. We want to allow everyone to get to our
network when they dial in. We do not want everyone to get on the internet
when they dial-in. This is what my access list look like
access-list 110 permit ip 165.5.0.0 0.0.255.255 any
access-list
: Steve Alston
To:
Sent: Thursday, November 29, 2001 3:59 PM
Subject: Re: PIX conduit access lists [7:26684]
Thanks again Allen,
Does that mean the responses to my outbound requests are allowed in by
default? For example, my request for a web page is allowed through the
firewall. Would
attacks.
example:
access-list 10 permit icmp any any echo-reply
access-group 10 interface outside
(apply one to interface inside for outbound)
Allen
- Original Message -
From: Steve Alston
To:
Sent: Wednesday, November 28, 2001 4:08 PM
Subject: Re: PIX conduit access lists [7:26684]
st below but meant conduit. ;) *slap self
get
more coffee*. It still applies but wasn't what I meant to say.
Thanks for pointing that out though.
- Original Message -
From: Patrick W. Bass
To:
Sent: Sunday, November 25, 2001 10:14 PM
Subject: Re: PIX conduit access lists [7:26684]
echo-reply
access-group 10 interface outside
(apply one to interface inside for outbound)
Allen
- Original Message -
From: Steve Alston
To:
Sent: Wednesday, November 28, 2001 4:08 PM
Subject: Re: PIX conduit access lists [7:26684]
Patrick Allen,
Thanks for the responses -- helps
for pointing that out though.
- Original Message -
From: Patrick W. Bass
To:
Sent: Sunday, November 25, 2001 10:14 PM
Subject: Re: PIX conduit access lists [7:26684]
Allen May wrote in message
news:[EMAIL PROTECTED]...
I'm not sure if this was answered or not, but a firewall always assumes
level, implicitly
allowed. Lower security level to higher security level, implicitly denied.
Otherwise it gets tricky once you start messing with multipile DMZs.
Also, access-lists are the way to go since conduits will be phased out in
the near future.
Allen
- Original Message -
From
Does the PIX 506 require an explicit deny statement after setting up a
permit conduit or access list.
I appear to be receiving more traffic (e.g. NTP) than my conduit statements
allow.
Thanks much,
Steve
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26684t=26684
Implicit denys behind every access-list are inserted. Are you
mixing conduits and access-lists? You really should not. Use ALL conduits
or ALL access-lists. If both are used, conduits take priority and override
your access-lists. Access-lists are first match, conduits are any match
Carroll,
Thanks for the reply. I'm using conduits now, but will switch to access
lists in the future. (I'd like to fully understand the configuration I
inherited before I start making changes) Are implicit denys inserted behind
each conduit as well?
Carroll Kong wrote in message
[EMAIL
I believe so.
At 10:25 AM 11/19/01 -0500, Steve Alston wrote:
Carroll,
Thanks for the reply. I'm using conduits now, but will switch to access
lists in the future. (I'd like to fully understand the configuration I
inherited before I start making changes) Are implicit denys inserted behind
this solution to work.
I have placed a Cisco 2514 on a segment so I can create access-lists to
filter traffic. I want my segment to have the same IP addresses and be on
the same network, so I have assigned the 2514 as a bridge where both
ethernet interfaces has the same IP address, and are in the same
To: [EMAIL PROTECTED]
Subject: RE: Bridging and Access-lists [7:24791]
Ole,
My thinking on this ...
When your ethernet frame (L2) hits the e1 interface the router will bridge
(L2) this to the e0 interface and not route (L3) it. Therefore the IP
access-list (L3) will not be used.
I did some work a couple
ject: RE: Bridging and Access-lists [7:24791]
Ole,
My thinking on this ...
When your ethernet frame (L2) hits the e1 interface the router will bridge
(L2) this to the e0 interface and not route (L3) it. Therefore the IP
access-list (L3) will not be used.
I did some work a couple of y
of switching.
2) Add all the MAC addresses to the groups they belong, and then use
access-lists 700-799 (mac addresses).
Both solutions sucks, so I am still looking for an easier 3rd solution.
Ole
~~~
Ole Drews Jensen
Systems Network Manager
CCNP, MCSE, MCP+I
RWR
I am not very lucky with this.
It seems like I have to use a 700's access-list to filter bridged interfaces
on their mac address, but that throws me into a new problem. As far as I can
see, the time-range option does not work on 700's access-lists - so I am
back to squarre 1 where I probably
If you are bridging you can only use a layer 2 access list...
Essentially you'll only be able to block traffic based on MAC addressing...
I think the layer2 access lists start at 700...
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ole Drews Jensen
ach side of
the
router on different subnets (seen from the router's view), and then set it
up as routing instead of switching.
2) Add all the MAC addresses to the groups they belong, and then use
access-lists 700-799 (mac addresses).
Both solutions sucks, so I am still looking for an easier 3rd solutio
Does anyone know the access-list command that would allow an entire subnet
into an ftp site. Here are some examples of what I've tried:
access-list acl_out permit tcp host 212.113.2.0 255.255.255.0 host
124.49.114.6 eq ftp
access-list acl_out permit tcp host 212.113.2.0 255.255.255.0 host
1 - 100 of 257 matches
Mail list logo
