09-25-2008 04:50 AM - edited 03-06-2019 01:35 AM
I have come across the following;
mcr-sw_xxxxx_01#sh access-lists
Standard IP access list 5
permit 194.x.x.0, wildcard bits 0.0.0.255 (190202 matches) check=1034
permit 62.x.x.0, wildcard bits 0.0.0.255 (492 matches) check=542
permit 62.x.x.0, wildcard bits 0.0.0.255 check=542
permit 194.x.x.0, wildcard bits 0.0.0.255 check=542
permit 194.x.x.0, wildcard bits 0.0.0.255 check=542
permit x.x.8.0, wildcard bits 0.0.0.255 check=542
permit 194.x.x.0, wildcard bits 0.0.0.255 (542 matches)
Standard IP access list 6
deny any
Standard IP access list 7
These look like they are in use but the "sh ip int" does not show them on the vlans and they obviuosly are not on the l2 interfaces.
How can I find out where these are applied as they say they have matches? Very confused - help would be appreciated!
ps = "x" are for security
Solved! Go to Solution.
09-25-2008 05:11 AM
Are they used to restrict management from certain source IP subnets/networks?
Check if they are applied to your TTY lines, SNMP or IP HTTP:
line vty 0 15
access-class 5 in
!
snmp-server community public RO 5
!
ip http access-class 5
If this is a EI capable 2950 then you can actually apply ACL's to Layer-2 interfaces to allow/deny traffic based on layer-3/4 information. However I don't think the counters work if an ACL is applied like this, hence why I suggested they are used to restrict management.
HTH
Andy
09-25-2008 05:11 AM
Are they used to restrict management from certain source IP subnets/networks?
Check if they are applied to your TTY lines, SNMP or IP HTTP:
line vty 0 15
access-class 5 in
!
snmp-server community public RO 5
!
ip http access-class 5
If this is a EI capable 2950 then you can actually apply ACL's to Layer-2 interfaces to allow/deny traffic based on layer-3/4 information. However I don't think the counters work if an ACL is applied like this, hence why I suggested they are used to restrict management.
HTH
Andy
09-25-2008 05:20 AM
Yes - this has something to do with the SNMP traps;
snmp-server engineID local xxx
snmp-server community xxxxxxx RO 6
snmp-server community xxxxxxx RO 5
snmp-server community xxxxxxx RW 5
snmp-server community xxxxxxx RO 7
snmp-server trap-source Vlan999
snmp-server enable traps snmp authentication
snmp-server host 194.x.x.146 xxxxxx snmp
snmp-server host 194.x.x.201 xxxxxx snmp
This is a method I have never come across before. Do you know where I can find some info on this?
The SNMP is managed by our Service Provider.
Thanks Andrew!
09-25-2008 06:22 AM
Its pretty simple really. All you are doing is restricting SNMP access to the switch. For example the line:
snmp-server community public RO 6
Would only allow devices that fall within the IP ranges that ACL 6 specifies to send SNMP Read-Only requests using the community string of 'public'.
HTH
Andy
09-25-2008 07:44 AM
I understand. Thanks for all your help Andy.
Carlton.
09-25-2008 05:12 AM
If you do a sh run, you should see something such as "ip access-group 5 out" listed under the configuration for one of the configured vlans.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide