Cannot apply ACL to fa0/5
in [Cisco]
|
From: Trendkill on 9 Jan 2008 13:18 On Jan 9, 1:11 pm, John <lilgrasshop...(a)gmail.com> wrote: > On Jan 9, 1:03 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > On Jan 9, 1:00 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > Hi all: > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > > > > > pings from outside to our internal network. > > > > > > Here is the info on the switch: > > > > > > Cisco Internetwork Operating System Software > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > > > > > RELEASE SOFTWARE (fc2) > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc. > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh > > > > > Image text-base: 0x80010000, data-base: 0x8058A000 > > > > > > Here is the ACL: > > > > > > Extended IP access list 103 > > > > > deny icmp any any echo log-input > > > > > permit ip any any > > > > > > When I tried to apply it, it won't take: > > > > > > Catalyst2950-External#conf term > > > > > Enter configuration commands, one per line. End with CNTL/Z. > > > > > Catalyst2950-External(config)#int fa0/5 > > > > > Catalyst2950-Exter(config-if)#ip access-group ? > > > > > % Unrecognized command > > > > > > Can someone shed some light on this please? > > > > > > Thank you. > > > > > Not absolutely positive, but I would guess that a 2950 presumes that > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only > > > > apply an ACL to a vlan interface. Therefore you would to apply it to > > > > the vlan that fa0/5 is in, but be careful as this may block other > > > > ports and traffic. Just guessing here....- Hide quoted text - > > > > > - Show quoted text - > > > > I tend to agree about the vlan info. I was thinking of applying it to > > > vlan1, the default vlan but nervous about it. Help Cisco gurus! > > > > -J. > > > Your ACL would only block icmp, and allow everything else, which looks > > fine. My point was, if you only wanted to block vlan 1 traffic going > > out or in fa0/5, but you apply the ACL on the VLAN, that it would > > apply it to EVERY access-port in that vlan. Therefore if you had > > other icmp that you wanted to allow, then this could end up blocking > > that as well. If fa0/5 is the only port in that vlan that is up, then > > this is a moot point. Else you may want to revise your ACL to block > > specific addresses. Just be careful and realize all traffic coming in/ > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text - > > > - Show quoted text - > > What I want to do is prevent a ping flood/attack into our internal > network. That is the goal. > Our provider told us that they saw massive traffic coming from our > network. > It is fine, about blocking ALL ping traffic incoming to all the ports > in the vlan1. > > Comment? and...thanks. I would recommend putting this on your external router that faces the provider. If this is your 2950, fine, but if not, I would move it out to your external most layer 3 hop. This would not restrict any other pings, except those coming in from the internet or provider cloud.
From: John on 9 Jan 2008 14:13 On Jan 9, 1:18 pm, Trendkill <jpma...(a)gmail.com> wrote: > On Jan 9, 1:11 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > On Jan 9, 1:03 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > On Jan 9, 1:00 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > Hi all: > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > > > > > > pings from outside to our internal network. > > > > > > > Here is the info on the switch: > > > > > > > Cisco Internetwork Operating System Software > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > > > > > > RELEASE SOFTWARE (fc2) > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc. > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000 > > > > > > > Here is the ACL: > > > > > > > Extended IP access list 103 > > > > > > deny icmp any any echo log-input > > > > > > permit ip any any > > > > > > > When I tried to apply it, it won't take: > > > > > > > Catalyst2950-External#conf term > > > > > > Enter configuration commands, one per line. End with CNTL/Z. > > > > > > Catalyst2950-External(config)#int fa0/5 > > > > > > Catalyst2950-Exter(config-if)#ip access-group ? > > > > > > % Unrecognized command > > > > > > > Can someone shed some light on this please? > > > > > > > Thank you. > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only > > > > > apply an ACL to a vlan interface. Therefore you would to apply it to > > > > > the vlan that fa0/5 is in, but be careful as this may block other > > > > > ports and traffic. Just guessing here....- Hide quoted text - > > > > > > - Show quoted text - > > > > > I tend to agree about the vlan info. I was thinking of applying it to > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus! > > > > > -J. > > > > Your ACL would only block icmp, and allow everything else, which looks > > > fine. My point was, if you only wanted to block vlan 1 traffic going > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would > > > apply it to EVERY access-port in that vlan. Therefore if you had > > > other icmp that you wanted to allow, then this could end up blocking > > > that as well. If fa0/5 is the only port in that vlan that is up, then > > > this is a moot point. Else you may want to revise your ACL to block > > > specific addresses. Just be careful and realize all traffic coming in/ > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text - > > > > - Show quoted text - > > > What I want to do is prevent a ping flood/attack into our internal > > network. That is the goal. > > Our provider told us that they saw massive traffic coming from our > > network. > > It is fine, about blocking ALL ping traffic incoming to all the ports > > in the vlan1. > > > Comment? and...thanks. > > I would recommend putting this on your external router that faces the > provider. If this is your 2950, fine, but if not, I would move it out > to your external most layer 3 hop. This would not restrict any other > pings, except those coming in from the internet or provider cloud.- Hide quoted text - > > - Show quoted text - I just applied it to vlan1. When I ping the CAT's IP address, it successfully blocked it. However, if I pinged anything connected to it, the packets went through with no problem. That's not what I want. Oh well. Thanks.
From: Trendkill on 9 Jan 2008 14:18 On Jan 9, 2:13 pm, John <lilgrasshop...(a)gmail.com> wrote: > On Jan 9, 1:18 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > On Jan 9, 1:11 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > On Jan 9, 1:03 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > On Jan 9, 1:00 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > > On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > > Hi all: > > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > > > > > > > pings from outside to our internal network. > > > > > > > > Here is the info on the switch: > > > > > > > > Cisco Internetwork Operating System Software > > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > > > > > > > RELEASE SOFTWARE (fc2) > > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc. > > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh > > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000 > > > > > > > > Here is the ACL: > > > > > > > > Extended IP access list 103 > > > > > > > deny icmp any any echo log-input > > > > > > > permit ip any any > > > > > > > > When I tried to apply it, it won't take: > > > > > > > > Catalyst2950-External#conf term > > > > > > > Enter configuration commands, one per line. End with CNTL/Z. > > > > > > > Catalyst2950-External(config)#int fa0/5 > > > > > > > Catalyst2950-Exter(config-if)#ip access-group ? > > > > > > > % Unrecognized command > > > > > > > > Can someone shed some light on this please? > > > > > > > > Thank you. > > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that > > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only > > > > > > apply an ACL to a vlan interface. Therefore you would to apply it to > > > > > > the vlan that fa0/5 is in, but be careful as this may block other > > > > > > ports and traffic. Just guessing here....- Hide quoted text - > > > > > > > - Show quoted text - > > > > > > I tend to agree about the vlan info. I was thinking of applying it to > > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus! > > > > > > -J. > > > > > Your ACL would only block icmp, and allow everything else, which looks > > > > fine. My point was, if you only wanted to block vlan 1 traffic going > > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would > > > > apply it to EVERY access-port in that vlan. Therefore if you had > > > > other icmp that you wanted to allow, then this could end up blocking > > > > that as well. If fa0/5 is the only port in that vlan that is up, then > > > > this is a moot point. Else you may want to revise your ACL to block > > > > specific addresses. Just be careful and realize all traffic coming in/ > > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text - > > > > > - Show quoted text - > > > > What I want to do is prevent a ping flood/attack into our internal > > > network. That is the goal. > > > Our provider told us that they saw massive traffic coming from our > > > network. > > > It is fine, about blocking ALL ping traffic incoming to all the ports > > > in the vlan1. > > > > Comment? and...thanks. > > > I would recommend putting this on your external router that faces the > > provider. If this is your 2950, fine, but if not, I would move it out > > to your external most layer 3 hop. This would not restrict any other > > pings, except those coming in from the internet or provider cloud.- Hide quoted text - > > > - Show quoted text - > > I just applied it to vlan1. When I ping the CAT's IP address, it > successfully blocked it. However, if I pinged anything connected to > it, the packets went through with no problem. That's not what I want. > Oh well. > > Thanks. Well if you want to block all pings in your environment period, apply the ACL to all vlan interfaces. I thought you just wanted to block pings to the outside world (ie internet or external networks). If that is the case, only place that ACL on the vlan/interface to your provider. This will allow pings inside your network, but not to/from external hosts. I may have misunderstood your requirements.
From: John on 9 Jan 2008 14:29 On Jan 9, 2:18 pm, Trendkill <jpma...(a)gmail.com> wrote: > On Jan 9, 2:13 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > On Jan 9, 1:18 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > On Jan 9, 1:11 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > On Jan 9, 1:03 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > On Jan 9, 1:00 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > > > On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > > > Hi all: > > > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > > > > > > > > pings from outside to our internal network. > > > > > > > > > Here is the info on the switch: > > > > > > > > > Cisco Internetwork Operating System Software > > > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > > > > > > > > RELEASE SOFTWARE (fc2) > > > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc. > > > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh > > > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000 > > > > > > > > > Here is the ACL: > > > > > > > > > Extended IP access list 103 > > > > > > > > deny icmp any any echo log-input > > > > > > > > permit ip any any > > > > > > > > > When I tried to apply it, it won't take: > > > > > > > > > Catalyst2950-External#conf term > > > > > > > > Enter configuration commands, one per line. End with CNTL/Z. > > > > > > > > Catalyst2950-External(config)#int fa0/5 > > > > > > > > Catalyst2950-Exter(config-if)#ip access-group ? > > > > > > > > % Unrecognized command > > > > > > > > > Can someone shed some light on this please? > > > > > > > > > Thank you. > > > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that > > > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only > > > > > > > apply an ACL to a vlan interface. Therefore you would to apply it to > > > > > > > the vlan that fa0/5 is in, but be careful as this may block other > > > > > > > ports and traffic. Just guessing here....- Hide quoted text - > > > > > > > > - Show quoted text - > > > > > > > I tend to agree about the vlan info. I was thinking of applying it to > > > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus! > > > > > > > -J. > > > > > > Your ACL would only block icmp, and allow everything else, which looks > > > > > fine. My point was, if you only wanted to block vlan 1 traffic going > > > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would > > > > > apply it to EVERY access-port in that vlan. Therefore if you had > > > > > other icmp that you wanted to allow, then this could end up blocking > > > > > that as well. If fa0/5 is the only port in that vlan that is up, then > > > > > this is a moot point. Else you may want to revise your ACL to block > > > > > specific addresses. Just be careful and realize all traffic coming in/ > > > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text - > > > > > > - Show quoted text - > > > > > What I want to do is prevent a ping flood/attack into our internal > > > > network. That is the goal. > > > > Our provider told us that they saw massive traffic coming from our > > > > network. > > > > It is fine, about blocking ALL ping traffic incoming to all the ports > > > > in the vlan1. > > > > > Comment? and...thanks. > > > > I would recommend putting this on your external router that faces the > > > provider. If this is your 2950, fine, but if not, I would move it out > > > to your external most layer 3 hop. This would not restrict any other > > > pings, except those coming in from the internet or provider cloud.- Hide quoted text - > > > > - Show quoted text - > > > I just applied it to vlan1. When I ping the CAT's IP address, it > > successfully blocked it. However, if I pinged anything connected to > > it, the packets went through with no problem. That's not what I want. > > Oh well. > > > Thanks. > > Well if you want to block all pings in your environment period, apply > the ACL to all vlan interfaces. I thought you just wanted to block > pings to the outside world (ie internet or external networks). If > that is the case, only place that ACL on the vlan/interface to your > provider. This will allow pings inside your network, but not to/from > external hosts. I may have misunderstood your requirements.- Hide quoted text - > > - Show quoted text - I want to block ALL pings coming from outside to ALL computers inside. I applied it to the only vlan I have, vlan1. VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 Remote SPAN VLANs ------------------------------------------------------------------------------ It blocked pings from outside to the vlan's ip address but if I pinged a computer connected to say fa0/5, it will get a reply.
From: Trendkill on 9 Jan 2008 14:58 On Jan 9, 2:29 pm, John <lilgrasshop...(a)gmail.com> wrote: > On Jan 9, 2:18 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > On Jan 9, 2:13 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > On Jan 9, 1:18 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > On Jan 9, 1:11 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > On Jan 9, 1:03 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > > On Jan 9, 1:00 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > > On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > > > > On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > > > > Hi all: > > > > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > > > > > > > > > pings from outside to our internal network. > > > > > > > > > > Here is the info on the switch: > > > > > > > > > > Cisco Internetwork Operating System Software > > > > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > > > > > > > > > RELEASE SOFTWARE (fc2) > > > > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc. > > > > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh > > > > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000 > > > > > > > > > > Here is the ACL: > > > > > > > > > > Extended IP access list 103 > > > > > > > > > deny icmp any any echo log-input > > > > > > > > > permit ip any any > > > > > > > > > > When I tried to apply it, it won't take: > > > > > > > > > > Catalyst2950-External#conf term > > > > > > > > > Enter configuration commands, one per line. End with CNTL/Z. > > > > > > > > > Catalyst2950-External(config)#int fa0/5 > > > > > > > > > Catalyst2950-Exter(config-if)#ip access-group ? > > > > > > > > > % Unrecognized command > > > > > > > > > > Can someone shed some light on this please? > > > > > > > > > > Thank you. > > > > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that > > > > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only > > > > > > > > apply an ACL to a vlan interface. Therefore you would to apply it to > > > > > > > > the vlan that fa0/5 is in, but be careful as this may block other > > > > > > > > ports and traffic. Just guessing here....- Hide quoted text - > > > > > > > > > - Show quoted text - > > > > > > > > I tend to agree about the vlan info. I was thinking of applying it to > > > > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus! > > > > > > > > -J. > > > > > > > Your ACL would only block icmp, and allow everything else, which looks > > > > > > fine. My point was, if you only wanted to block vlan 1 traffic going > > > > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would > > > > > > apply it to EVERY access-port in that vlan. Therefore if you had > > > > > > other icmp that you wanted to allow, then this could end up blocking > > > > > > that as well. If fa0/5 is the only port in that vlan that is up, then > > > > > > this is a moot point. Else you may want to revise your ACL to block > > > > > > specific addresses. Just be careful and realize all traffic coming in/ > > > > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text - > > > > > > > - Show quoted text - > > > > > > What I want to do is prevent a ping flood/attack into our internal > > > > > network. That is the goal. > > > > > Our provider told us that they saw massive traffic coming from our > > > > > network. > > > > > It is fine, about blocking ALL ping traffic incoming to all the ports > > > > > in the vlan1. > > > > > > Comment? and...thanks. > > > > > I would recommend putting this on your external router that faces the > > > > provider. If this is your 2950, fine, but if not, I would move it out > > > > to your external most layer 3 hop. This would not restrict any other > > > > pings, except those coming in from the internet or provider cloud.- Hide quoted text - > > > > > - Show quoted text - > > > > I just applied it to vlan1. When I ping the CAT's IP address, it > > > successfully blocked it. However, if I pinged anything connected to > > > it, the packets went through with no problem. That's not what I want. > > > Oh well. > > > > Thanks. > > > Well if you want to block all pings in your environment period, apply > > the ACL to all vlan interfaces. I thought you just wanted to block > > pings to the outside world (ie internet or external networks). If > > that is the case, only place that ACL on the vlan/interface to your > > provider. This will allow pings inside your network, but not to/from > > external hosts. I may have misunderstood your requirements.- Hide quoted text - > > > - Show quoted text - > > I want to block ALL pings coming from outside to ALL computers > inside. > > I applied it to the only vlan I have, vlan1. > > VLAN Name Status Ports > ---- -------------------------------- --------- > ------------------------------- > 1 default active Fa0/1, Fa0/2, Fa0/3, > Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/9, Fa0/10 > Fa0/11, Fa0/12, > Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/20 > Fa0/21, Fa0/22, > Fa0/23, Fa0/24 > 1002 fddi-default act/unsup > 1003 token-ring-default act/unsup > 1004 fddinet-default act/unsup > 1005 trnet-default act/unsup > > VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode > Trans1 Trans2 > ---- ----- ---------- ----- ------ ------ -------- ---- -------- > ------ ------ > 1 enet 100001 1500 - - - - - > 0 0 > 1002 fddi 101002 1500 - - - - - > 0 0 > 1003 tr 101003 1500 - - - - - > 0 0 > 1004 fdnet 101004 1500 - - - ieee - > 0 0 > 1005 trnet 101005 1500 - - - ibm - > 0 0 > > Remote SPAN VLANs > ------------------------------------------------------------------------------ > > It blocked pings from outside to the vlan's ip address but if I pinged > a computer connected to say fa0/5, it will get a reply. That is probably because the packet is coming in on vlan 1, and out of vlan 1, so the frame never goes through layer 3 inspection. Is this switch the central router for vlan 1? If not, what is? I would still recommend putting an ACL on whatever the next hop is towards the internet or provider, presuming it is a router or firewall. Please describe how you are connected to the provider w/ equipment and ip addressing.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: Cisco 1760 router and VPN client Connection Issues Next: VLAN bridging over GRE tunneling |