Job Search, Job Listing, Opportunity
Work at home job, job vacancy
find a job, vacancy list, cari lowongan
Butuh, Segera, secretary, director
« “set Interface” in route-map and some IOS versions
Multiple OSPF keys on Hub and Spoke Frame Relay »

3550 ACL’s ..

September 16, 2006 @ 4:59 pm · Filed under CCIE Study


Hi,
I have had a similar problem with some 3550 ACL entries. They are working as expected with both extended and basic ACLs on routed interfaces, but I am unable to get extended ACLs to filter with VLAN SVI interfaces. According to the Cisco documentation, configuring an ACL for an SVI should be the same as configuring a routed interface, right?
And since I am finally posting something in this group–though nothing useful or insightful yet–Would the monitor of this list (if there is one) please respond to my request to authenticate an alternate email address. Thanks.

—–Original Message—– From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of David Mitchell Sent: Saturday, September 16, 2006 2:42 PM To: 2nd CCIE; palomoj@sbcglobal.net Cc: security@groupstudy.com; ccielab@groupstudy.com Subject: RE: 3550 ACL’s ..
Try changing the access-list to:
access-list 101 deny icmp host 10.10.16.100 any access-list 101 permit ip any any
and leaving it applied to the interface.
Your server will still receive the ICMP requests, but any it send out should be blocked.
—–Original Message—– From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of 2nd CCIE Sent: Saturday, September 16, 2006 3:15 PM To: palomoj@sbcglobal.net Cc: security@groupstudy.com; ccielab@groupstudy.com Subject: Re: 3550 ACL’s ..
Ok ..I have tried to apply the ACL on the interface vlan in both directions ..i still able to ping the server . what am i missing ?
Joe Palomo wrote: If you apply the ACL to the VLAN interface then you need to apply the ACL for egress (out) traffic to the server. Ingress (in) would deny icmp
from server segment outbound. HTH.
ccie16430 (Security)
2nd CCIE wrote:
>Folks ; > i have a trouble trying to do simple configuration on the 3550 . > i have server connected to 3550 on port f0/11 . > > all i want to do is to deny the icmp to this server and allow everything else . > although it looks something easy ..it does not work with me > > here is my configuration > > ! >interface FastEthernet0/11 > switchport access vlan 16 > switchport mode dynamic desirable > ip access-group 101 in >! > ! >access-list 101 deny icmp any host 10.10.16.100 access-list 101 permit >ip any any ! > > with this configuration ..i still can ping the server from anywhere ….i tried to apply the ACL on the interface vlan 16 ..nothing changed . > > if i remove the second entry of the ACL (basically deny everything ) …it works > > but i need to the communication to the server ..only the ping i want to disable … > > what am i missing here ? > > > thanks > > > >——————————— >How low will we go? Check out Yahoo! Messengers low PC-to-Phone call rates. > > > >
——————————— Get your email and more, right on the new Yahoo.com

Bookmark this post:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • blinkbits
  • BlinkList
  • blogmarks
  • co.mments
  • connotea
  • del.icio.us
  • De.lirio.us
  • digg
  • Fark
  • feedmelinks
  • Furl
  • LinkaGoGo
  • Ma.gnolia
  • NewsVine
  • Netvouz
  • RawSugar
  • Reddit
  • scuttle
  • Shadows
  • Simpy
  • Smarking
  • Spurl
  • TailRank
  • Wists
  • YahooMyWeb
keywords found: email allow would insightful expected directions leaving 

Leave a Comment

Related Post