ACL on L2 2950

Answered Question
Sep 25th, 2008
User Badges:

I have come across the following;


mcr-sw_xxxxx_01#sh access-lists

Standard IP access list 5

permit 194.x.x.0, wildcard bits 0.0.0.255 (190202 matches) check=1034

permit 62.x.x.0, wildcard bits 0.0.0.255 (492 matches) check=542

permit 62.x.x.0, wildcard bits 0.0.0.255 check=542

permit 194.x.x.0, wildcard bits 0.0.0.255 check=542

permit 194.x.x.0, wildcard bits 0.0.0.255 check=542

permit x.x.8.0, wildcard bits 0.0.0.255 check=542

permit 194.x.x.0, wildcard bits 0.0.0.255 (542 matches)

Standard IP access list 6

deny any

Standard IP access list 7


These look like they are in use but the "sh ip int" does not show them on the vlans and they obviuosly are not on the l2 interfaces.


How can I find out where these are applied as they say they have matches? Very confused - help would be appreciated!


ps = "x" are for security

Correct Answer by andrew.butterworth about 8 years 9 months ago

Are they used to restrict management from certain source IP subnets/networks?

Check if they are applied to your TTY lines, SNMP or IP HTTP:


line vty 0 15

access-class 5 in

!

snmp-server community public RO 5

!

ip http access-class 5


If this is a EI capable 2950 then you can actually apply ACL's to Layer-2 interfaces to allow/deny traffic based on layer-3/4 information. However I don't think the counters work if an ACL is applied like this, hence why I suggested they are used to restrict management.


HTH


Andy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
andrew.butterworth Thu, 09/25/2008 - 05:11
User Badges:
  • Gold, 750 points or more

Are they used to restrict management from certain source IP subnets/networks?

Check if they are applied to your TTY lines, SNMP or IP HTTP:


line vty 0 15

access-class 5 in

!

snmp-server community public RO 5

!

ip http access-class 5


If this is a EI capable 2950 then you can actually apply ACL's to Layer-2 interfaces to allow/deny traffic based on layer-3/4 information. However I don't think the counters work if an ACL is applied like this, hence why I suggested they are used to restrict management.


HTH


Andy

ccannon88567 Thu, 09/25/2008 - 05:20
User Badges:

Yes - this has something to do with the SNMP traps;


snmp-server engineID local xxx

snmp-server community xxxxxxx RO 6

snmp-server community xxxxxxx RO 5

snmp-server community xxxxxxx RW 5

snmp-server community xxxxxxx RO 7

snmp-server trap-source Vlan999

snmp-server enable traps snmp authentication

snmp-server host 194.x.x.146 xxxxxx snmp

snmp-server host 194.x.x.201 xxxxxx snmp



This is a method I have never come across before. Do you know where I can find some info on this?


The SNMP is managed by our Service Provider.


Thanks Andrew!

andrew.butterworth Thu, 09/25/2008 - 06:22
User Badges:
  • Gold, 750 points or more

Its pretty simple really. All you are doing is restricting SNMP access to the switch. For example the line:


snmp-server community public RO 6


Would only allow devices that fall within the IP ranges that ACL 6 specifies to send SNMP Read-Only requests using the community string of 'public'.


HTH


Andy


jon.axe Thu, 09/25/2008 - 05:12
User Badges:

If you do a sh run, you should see something such as "ip access-group 5 out" listed under the configuration for one of the configured vlans.

Actions

This Discussion