Re: access-list

rmoore · ‎08-16-2002

I am setting up two Catalyst 3550 switches in a lab to test out. The layout is somple: two switches connected together, with a computer on each switch. I am having problems with my access-lists. What I want to do is to deny all traffic on that port except for the traffic destined for the computer on that switch. The computer is 10.10.10.20. I changed the ip address to 10.10.10.21 and I am still able to ping it and see it through network neighborhood. The command I used to set up the access-list was :

access-list 11 permit host 10.10.10.20

I know I am missing something really simple, so if someone could let me know, that would be really helpful.

TIA,

Rawls Moore

efrahim · ‎08-16-2002

Please post the sh ver and sh run from the switch.

rmoore · ‎08-16-2002

here is the sh ru:

NOCL3#sh ru

Building configuration...

Current configuration : 1955 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname NOCL3

!

enable secret 5 $1$dGl2$EcnIc9e7A10V2QL3iJ67l.

enable password xxxxxxxxxxx

!

clock timezone MST -7

ip subnet-zero

no ip finger

mls qos

!

class-map match-any class7

match access-group 10

!

policy-map map7

class class7

police 256000 512000 exceed-action drop

set ip precedence 2

!

interface GigabitEthernet0/1

no ip address

snmp trap link-status

!

interface GigabitEthernet0/2

no ip address

shutdown

snmp trap link-status

!

interface GigabitEthernet0/3

no ip address

shutdown

snmp trap link-status

!

interface GigabitEthernet0/4

no ip address

shutdown

snmp trap link-status

!

interface GigabitEthernet0/5

switchport access vlan 5

switchport mode access

no ip address

snmp trap link-status

!

interface GigabitEthernet0/6

switchport access vlan 66

switchport mode access

no ip address

snmp trap link-status

!

interface GigabitEthernet0/7

no ip address

snmp trap link-status

service-policy input map7

!

interface GigabitEthernet0/8

no ip address

shutdown

snmp trap link-status

!

interface GigabitEthernet0/9

no ip address

shutdown

snmp trap link-status

!

interface GigabitEthernet0/10

no ip address

shutdown

snmp trap link-status

!

interface GigabitEthernet0/11

no ip address

shutdown

snmp trap link-status

!

interface GigabitEthernet0/12

no ip address

shutdown

snmp trap link-status

!

interface Vlan1

ip address 10.10.10.1 255.255.255.0

!

ip default-gateway 10.10.10.1

ip classless

ip http server

!

access-list 10 permit 10.10.10.20

access-list 10 deny any

snmp-server engineID local 80000009030000087C3CA981

snmp-server community mdellc RO

snmp-server community mtdig RW

snmp-server location Lone Pine Tower

snmp-server contact MDE LLC

!

line con 0

transport input none

line vty 0 4

password xxxxxxxxxx

login

line vty 5 15

password xxxxxxxxxx

login

!

end

rmoore · ‎08-16-2002

NOCL3#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(6)EA1, RELEASE SOFTWARE (

fc1)

Compiled Tue 09-Oct-01 21:46 by devgoyal

Image text-base: 0x00003000, data-base: 0x00617E14

ROM: Bootstrap program is C3550 boot loader

NOCL3 uptime is 23 minutes

System returned to ROM by power-on

System image file is "flash:c3550-i5q3l2-mz.121-6.EA1/c3550-i5q3l2-mz.121-6.EA1.

bin"

cisco WS-C3550-12T (PowerPC) processor (revision A0) with 65526K/8192K bytes of

memory.

Processor board ID FAA0551D094

Last reset from warm-reset

Bridging software.

Running Layer2/3 Switching Image

Ethernet-controller 1 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 2 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 3 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 4 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 7 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 8 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 9 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 10 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 11 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

Ethernet-controller 12 has 1 Gigabit Ethernet/IEEE 802.3 interfaces

12 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:08:7C:3C:A9:80

Motherboard assembly number: 73-5527-11

Power supply part number: NONE

Motherboard serial number: FAA0551JWX7

Power supply serial number: DAB054902CK

Model revision number: A0

Model number: WS-C3550-12T

System serial number: FAA0551D094

Configuration register is 0x10F

rmoore · ‎08-19-2002

This problem is starting to affect business. Could someone let me know what other information I could provide or any suggestions on what to do?

Thanks,

Rawls

efrahim · ‎08-19-2002

It seems like you are missing the ip access group command on the interface vlan as mentioned on this URL

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1219ea1/3550scg/swacl.htm#xtocid17

. Plus you are running the early releases of the software in which case, ACl can cause various problem like reload the box etc. so please upgrade to the latest software.

Hope this helps

rmoore · ‎08-19-2002

i followed the instructions but i still get and error. here is a copy of what i did and the reply:

NOCL3(config)#conf t

NOCL3(config)#int Gi0/7

NOCL3(config-if)#ip access-group 10 in

^

% Invalid input detected at '^' marker.

I then did a "?" and I didn't see this command in the list. Is this a problem with the software because I am at too low a level?

thanks for the help,

rawls

Prashanth Krishnappa · ‎08-19-2002

Type in "no switchport" and then the apply the "ip access-group 10 in"

efrahim · ‎08-19-2002

It seems like you are trying to limit the traffic to the same vlan. Like 10.10.10.20 can't access to other workstation on the same vlan.

Are you talking across the vlans or the network or the same network.

connie · ‎08-20-2002

I'm also experiencing the same problems with ACLs. As soon as I have more than 19 ACL statements, the 3550 crashes. Also, I can only have one ACL on the whole 3550, else it crashes.

Will an upgrade to IOS v12.1(9) solve my woes?

Connie

Prashanth Krishnappa · ‎08-20-2002

Yes..Upgrade to 12.1(9)EA1c. Look at the following bugs

http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdx02995

http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdw91280

rmoore · ‎08-20-2002

I want to use the ACL so that when traffic comes into the switch it only goes to the correct port. I don't want to waste any bandwidth with the traffic going other ports. To test this I have a vlan set up with two computers, I am then connecting another computer to another port, not in that vlan and I am trying to ping either ip address of the computers that are in the vlan. I don't want any traffic to get across.

efrahim · ‎08-20-2002

ACL used for the security rather than controlling the bandwidth, the broadcast and the multicast traffic will still go to all the ports in the same vlans..

Anyway, if you want to restrict the users across the vlans then you need to apply the access list to the int vlan. In your configuration I don't see any other vlans interface. If you don;t have any other vlan interface and just using the port as the routed port, by using the command " no switchport " and put the ip address on the port.

Please send the port numbers on which the devices are attached and if the above is not current config, please post the new config

rmoore · ‎08-20-2002

The help from this thread has helped. The switches are up and working. I just had one last question, can an access-list be linked to just an ip address and not a port so that the switch looks at the destination of traffic and then looks at the access-list associated with that ip address?

TIA,

Rawls

efrahim · ‎08-20-2002

Access list has to apply to an interface either virtual or the physical to take an affect.