09-25-2008 04:50 AM - edited 03-06-2019 01:35 AM
I have come across the following;
mcr-sw_xxxxx_01#sh access-lists
Standard IP access list 5
permit 194.x.x.0, wildcard bits 0.0.0.255 (190202 matches) check=1034
permit 62.x.x.0, wildcard bits 0.0.0.255 (492 matches) check=542
permit 62.x.x.0, wildcard bits 0.0.0.255 check=542
permit 194.x.x.0, wildcard bits 0.0.0.255 check=542
permit 194.x.x.0, wildcard bits 0.0.0.255 check=542
permit x.x.8.0, wildcard bits 0.0.0.255 check=542
permit 194.x.x.0, wildcard bits 0.0.0.255 (542 matches)
Standard IP access list 6
deny any
Standard IP access list 7
These look like they are in use but the "sh ip int" does not show them on the vlans and they obviuosly are not on the l2 interfaces.
How can I find out where these are applied as they say they have matches? Very confused - help would be appreciated!
ps = "x" are for security
Solved! Go to Solution.
09-25-2008 05:11 AM
Are they used to restrict management from certain source IP subnets/networks?
Check if they are applied to your TTY lines, SNMP or IP HTTP:
line vty 0 15
access-class 5 in
!
snmp-server community public RO 5
!
ip http access-class 5
If this is a EI capable 2950 then you can actually apply ACL's to Layer-2 interfaces to allow/deny traffic based on layer-3/4 information. However I don't think the counters work if an ACL is applied like this, hence why I suggested they are used to restrict management.
HTH
Andy
09-25-2008 05:11 AM
Are they used to restrict management from certain source IP subnets/networks?
Check if they are applied to your TTY lines, SNMP or IP HTTP:
line vty 0 15
access-class 5 in
!
snmp-server community public RO 5
!
ip http access-class 5
If this is a EI capable 2950 then you can actually apply ACL's to Layer-2 interfaces to allow/deny traffic based on layer-3/4 information. However I don't think the counters work if an ACL is applied like this, hence why I suggested they are used to restrict management.
HTH
Andy
09-25-2008 05:20 AM
Yes - this has something to do with the SNMP traps;
snmp-server engineID local xxx
snmp-server community xxxxxxx RO 6
snmp-server community xxxxxxx RO 5
snmp-server community xxxxxxx RW 5
snmp-server community xxxxxxx RO 7
snmp-server trap-source Vlan999
snmp-server enable traps snmp authentication
snmp-server host 194.x.x.146 xxxxxx snmp
snmp-server host 194.x.x.201 xxxxxx snmp
This is a method I have never come across before. Do you know where I can find some info on this?
The SNMP is managed by our Service Provider.
Thanks Andrew!
09-25-2008 06:22 AM
Its pretty simple really. All you are doing is restricting SNMP access to the switch. For example the line:
snmp-server community public RO 6
Would only allow devices that fall within the IP ranges that ACL 6 specifies to send SNMP Read-Only requests using the community string of 'public'.
HTH
Andy
09-25-2008 07:44 AM
I understand. Thanks for all your help Andy.
Carlton.
09-25-2008 05:12 AM
If you do a sh run, you should see something such as "ip access-group 5 out" listed under the configuration for one of the configured vlans.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: