Hello ALL, I recently configured IP standard access lists on 2950 switch and found some things which was strange for me.
Imagine the 2950 switch with a single vlan (vlan 30) configured on it. Several other switches are connected to 2950' ports. Several workstations are connected to those other switches and have the following IP settings: on switch1: 30.30.30.16 - 31/24 on switch2: 30.30.30.32 - 47/24 on switch3: 30.30.30.48 - 63/24 Finally, 2950 is connected to the router which has IP address 30.30.30.1/24. In order to tie these IP ranges with particular ports on 2950 I do the following: #conf t (config)#access-list 16 permit 30.30.30.16 0.0.0.15 (config)#int fa0/16 (config-if)#ip access-group 16 in (config-if)#ctrl-z ... Then I try to check whether my access list works correctly. I assign one PC connected to port 16 in 2950 with IP address 30.30.30.128/24 and ping 30.30.30.1. Then I see that ping works and router replies to the ping requests. Then I rewrite my access list in this way: #conf t (config)#no access-list 16 (config)#access-list 16 permit 30.30.30.16 0.0.0.15 (config)#access-list 16 deny any After this procedure access list works as I wanted: it denies packets from 30.30.30.128 and only passes packets from 30.30.30.16 - 31. Is this normal behavior or not? I am confused because 2950 manual says that each access list has implicit deny any statement in the end of the list. -- Roman Bestuzhev, System Administrator _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/