access-list 100 deny   ip host 172.25.32.1 any
access-list 100 deny   ip host 172.25.33.1 any
access-list 100 deny   ip host 172.25.66.1 any
access-list 100 deny   ip host 172.25.67.1 any
access-list 100 deny   ip host 172.25.98.1 any
access-list 100 deny   ip host 172.25.99.1 any
access-list 100 deny   udp 172.25.32.0 0.0.1.255 host 172.25.1.133 eq bootps

access-list 100 deny   udp 172.25.66.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 deny   udp 172.25.98.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 permit ip 172.25.32.0 0.0.1.255 any
access-list 100 permit ip 172.25.66.0 0.0.1.255 any
access-list 100 permit ip 172.25.98.0 0.0.1.255 any
access-list 100 deny   ip host 172.25.78.1 any
access-list 100 deny   ip host 172.25.77.1 any
access-list 100 deny   udp 172.25.76.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 permit ip 172.25.76.0 0.0.1.255 any
access-list 100 deny   ip host 172.25.130.1 any
access-list 100 permit ip 172.25.130.0 0.0.1.255 any
access-list 100 deny   ip 172.25.130.0 0.0.1.255 any

changes

I gave no access-list 100 and I left last 2 lines and pasted in switch 2 there is no problem

when I gave no access-list 100, switch went down

I have removed

access-list 100 permit ip 172.25.130.0 0.0.1.255 any
access-list 100 deny   ip 172.25.130.0 0.0.1.255 any

access-list 100 deny   ip host 172.25.32.1 any
access-list 100 deny   ip host 172.25.33.1 any
access-list 100 deny   ip host 172.25.66.1 any
access-list 100 deny   ip host 172.25.67.1 any
access-list 100 deny   ip host 172.25.98.1 any
access-list 100 deny   ip host 172.25.99.1 any
access-list 100 deny   udp 172.25.32.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 deny   udp 172.25.66.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 deny   udp 172.25.98.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 permit ip 172.25.32.0 0.0.1.255 any
access-list 100 permit ip 172.25.66.0 0.0.1.255 any
access-list 100 permit ip 172.25.98.0 0.0.1.255 any
access-list 100 deny   ip host 172.25.78.1 any
access-list 100 deny   ip host 172.25.77.1 any
access-list 100 deny   udp 172.25.76.0 0.0.1.255 host 172.25.1.133 eq bootps
access-list 100 permit ip 172.25.76.0 0.0.1.255 any
access-list 100 deny   ip host 172.25.130.1 any
access-list 100 permit ip 172.25.130.0 0.0.1.255 any
access-list 100 deny   ip 172.25.130.0 0.0.1.255 any
changes
I gave no access-list 100 and I left last 2 lines and pasted in switch 2 there is no problem
when I gave no access-list 100, switch went down
I have removed
access-list 100 permit ip 172.25.130.0 0.0.1.255 any
access-list 100 deny   ip 172.25.130.0 0.0.1.255 any

With no access-list 100 you are removing the whole acl 100 from switch configuration and the last 2 line i dont think it will be of use as one for permitting and another for deny, once you have permitted in ip layer ther no need for deny statement afterwards for same source.

and switch went down , you mean to say totally shutdown or out of network reach. I hope it will will out your network genarally from where the traffic is intiated like source.Is there any other acl apart from 100 which says deny network 172.25.130.0. because as soon as u deleted the acl switch has gone down hopefully the traffic from where you were accessing the switch is been blocked or some routing problem for the partucular subnet.

Hope to Help !!

Ganesh.H

This access-list is ment only for wirless ineternet connection. I agree with you it subnet which is in access-list will not work since I gave no access-list, ut entire switch went down. am not able to access other vlan example 172.25.140.0,172.25.6.0 these network is not in this access-list. as you said it should have affected other switch as well. but other switch is working wilth a config, we are using HSRP for VLAN, but that switch was working. I think there is a issue on switch, we had a VLAN creation problem in our one of 4500 supervisor module. I think it would have same think like that I will log a call with cisco and i will update in this forum. many thanks ganesh iyer.

Hi

I think I found a answer. am not sure

"An outbound access list applies the filter conditions after the routing table lookup". (I found this in cisco website)

still not convinced with this answer. because  the  access-list  which I have pasted  before should  afftect that network alone

my understanding  in above statement is if it is outbound network first it will look for routing table and then it will look for access-list. if  that is  the case I am wondering why it is bringing down entire network.

can any help me please

Hi,

Its not a problem but its the way ,, its gonna work all the times..

Have you noticed that when you removed the ACL 100 or watever, the access-list was still applied to the interface.. was it??

If yes, than it will deny any packets using implicit deny at the end, even if the access-list doesnt exist but applied on the interface.

So normal method of configuring ACL is

create ACL

apply on the interface

modify acl directly ( if only lines are added or removed)

if you want to remove ACL from config, remove it first from the interface and then remove from the config. Because it doesnt makes any sense to apply the ACL on the interface first and then create the ACL.

HTH

Hitesh Vinzoda

Pls rate useful posts.