Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ACL works on Router but not on switch - VLAN issues?

0 views
Skip to first unread message

Sam Stickland

unread,
Aug 15, 2002, 10:33:24 AM8/15/02
to
I am trying to block all traffic from and to a single IP address.

On an 827 router the following configuration achieves this:

--------------
access-list 101 deny ip host x.y.z.w any
access-list 101 permit ip any any
interface Dialer1
ip access-group 101 in
ip access-group 101 out
--------------

Various tests show that the IP address is definately blocked and "show
access-lists" show matches against both rules increasing as expected

But if I try this on a 2924XL:

--------------
access-list 101 deny ip host x.y.z.w any
access-list 101 permit ip any any
interface VLAN 1
ip access-group 101 in
ip access-group 101 out
--------------

All packets are still allowed through. x.y.z.w never gets any denied packets

Here's the results of "show access-lists"

--------------
Switch#show access-lists
Extended IP access list 101
deny ip host 81.3.65.129 any
permit ip any any (1471 matches)
Extended IP access list 199
Dynamic Cluster-NAT permit ip any any
--------------

I've attached the switches running configuration. I've removed some of the
information obviously (secret setttings and the like ;) ). I've replaced the
switches IP address with a.b.c.d and the IP I wish to block with x.y.z.w

This has really got me stumped at the moment - although I'm not exactly a
cisco guru ;) - so any help would be much appreciated.

Sam

-------------------

Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!

[SNIP]

!
ip subnet-zero
cluster enable Cluster 0
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface VLAN1
ip address a.b.c.d 255.255.255.0
ip access-group 101 in
ip access-group 101 out
no ip directed-broadcast
ip nat outside
!
ip default-gateway 213.131.167.1
ip nat inside source list 199 interface VLAN1 overload
access-list 101 deny ip host x.y.z.w any
access-list 101 permit ip any any
access-list 199 dynamic Cluster-NAT permit ip any any

[SNIP]

end

karate-kid

unread,
Aug 15, 2002, 10:41:12 AM8/15/02
to
It's a weird one that - and I've seen it on recent IOS 12.2.7b on a 1720.
I simply worked around it - no idea how to fix it.
Steve
"Sam Stickland" <s...@spacething.org> wrote in message
news:JVO69.489$sE1.64905@stones...

Saint

unread,
Aug 15, 2002, 11:12:24 AM8/15/02
to
just curious... i thought 2924xl is a layer 2 switch? how can it be used for
layer 3 functions?

"Sam Stickland" <s...@spacething.org> wrote in message
news:JVO69.489$sE1.64905@stones...

Sam Stickland

unread,
Aug 15, 2002, 11:42:11 AM8/15/02
to
Hmm.... That would explain it if that switch is only layer 2. But in that
case how come it repsonds to all the access-lists commands as if it has at
least some layer 3 functionality? Do IOS commands effectively translate to
NOP's on hardware that doesn't support them?

If is layer two only can I block by MAC address?

"Saint" <kok...@singnet.com.sg> wrote in message
news:ajgg8i$63i$1...@reader02.singnet.com.sg...

Sam Stickland

unread,
Aug 15, 2002, 11:43:38 AM8/15/02
to
When you say worked around it, do you mean you found another way to do this
using a 2924XL.

S

(PS. Sorry about the personal email before - pressed the wrong button :S)

"karate-kid" <kirk...@ntlworld.com> wrote in message
news:%3P69.1184$tv5....@newsfep1-win.server.ntli.net...

ch...@nospam.com

unread,
Aug 15, 2002, 1:41:08 PM8/15/02
to
>> > But if I try this on a 2924XL:
>> >
>> > --------------
>> > access-list 101 deny ip host x.y.z.w any
>> > access-list 101 permit ip any any
>> > interface VLAN 1
>> > ip access-group 101 in
>> > ip access-group 101 out
>> > --------------

>Hmm.... That would explain it if that switch is only layer 2. But in that


>case how come it repsonds to all the access-lists commands as if it has at
>least some layer 3 functionality? Do IOS commands effectively translate to
>NOP's on hardware that doesn't support them?
>
>If is layer two only can I block by MAC address?


By applying the ACL to VLAN1, you are applying it to the management
interface (ie the managment ip of the switch itself). This does not
affect traffic on any of the ports in that vlan.

BTW, it is certainly a good idea to apply an acl to the management
interface to prevent unwanted connection attempts.

0 new messages