Cannot apply ACL to fa0/5
in [Cisco]
|
From: John on 9 Jan 2008 15:18 On Jan 9, 2:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > On Jan 9, 2:29 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > On Jan 9, 2:18 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > On Jan 9, 2:13 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > On Jan 9, 1:18 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > On Jan 9, 1:11 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > On Jan 9, 1:03 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > > > On Jan 9, 1:00 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > > > On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > > > > > On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > > > > > Hi all: > > > > > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > > > > > > > > > > pings from outside to our internal network. > > > > > > > > > > > Here is the info on the switch: > > > > > > > > > > > Cisco Internetwork Operating System Software > > > > > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > > > > > > > > > > RELEASE SOFTWARE (fc2) > > > > > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc. > > > > > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh > > > > > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000 > > > > > > > > > > > Here is the ACL: > > > > > > > > > > > Extended IP access list 103 > > > > > > > > > > deny icmp any any echo log-input > > > > > > > > > > permit ip any any > > > > > > > > > > > When I tried to apply it, it won't take: > > > > > > > > > > > Catalyst2950-External#conf term > > > > > > > > > > Enter configuration commands, one per line. End with CNTL/Z. > > > > > > > > > > Catalyst2950-External(config)#int fa0/5 > > > > > > > > > > Catalyst2950-Exter(config-if)#ip access-group ? > > > > > > > > > > % Unrecognized command > > > > > > > > > > > Can someone shed some light on this please? > > > > > > > > > > > Thank you. > > > > > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that > > > > > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only > > > > > > > > > apply an ACL to a vlan interface. Therefore you would to apply it to > > > > > > > > > the vlan that fa0/5 is in, but be careful as this may block other > > > > > > > > > ports and traffic. Just guessing here....- Hide quoted text - > > > > > > > > > > - Show quoted text - > > > > > > > > > I tend to agree about the vlan info. I was thinking of applying it to > > > > > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus! > > > > > > > > > -J. > > > > > > > > Your ACL would only block icmp, and allow everything else, which looks > > > > > > > fine. My point was, if you only wanted to block vlan 1 traffic going > > > > > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would > > > > > > > apply it to EVERY access-port in that vlan. Therefore if you had > > > > > > > other icmp that you wanted to allow, then this could end up blocking > > > > > > > that as well. If fa0/5 is the only port in that vlan that is up, then > > > > > > > this is a moot point. Else you may want to revise your ACL to block > > > > > > > specific addresses. Just be careful and realize all traffic coming in/ > > > > > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text - > > > > > > > > - Show quoted text - > > > > > > > What I want to do is prevent a ping flood/attack into our internal > > > > > > network. That is the goal. > > > > > > Our provider told us that they saw massive traffic coming from our > > > > > > network. > > > > > > It is fine, about blocking ALL ping traffic incoming to all the ports > > > > > > in the vlan1. > > > > > > > Comment? and...thanks. > > > > > > I would recommend putting this on your external router that faces the > > > > > provider. If this is your 2950, fine, but if not, I would move it out > > > > > to your external most layer 3 hop. This would not restrict any other > > > > > pings, except those coming in from the internet or provider cloud.- Hide quoted text - > > > > > > - Show quoted text - > > > > > I just applied it to vlan1. When I ping the CAT's IP address, it > > > > successfully blocked it. However, if I pinged anything connected to > > > > it, the packets went through with no problem. That's not what I want.. > > > > Oh well. > > > > > Thanks. > > > > Well if you want to block all pings in your environment period, apply > > > the ACL to all vlan interfaces. I thought you just wanted to block > > > pings to the outside world (ie internet or external networks). If > > > that is the case, only place that ACL on the vlan/interface to your > > > provider. This will allow pings inside your network, but not to/from > > > external hosts. I may have misunderstood your requirements.- Hide quoted text - > > > > - Show quoted text - > > > I want to block ALL pings coming from outside to ALL computers > > inside. > > > I applied it to the only vlan I have, vlan1. > > > VLAN Name Status Ports > > ---- -------------------------------- --------- > > ------------------------------- > > 1 default active Fa0/1, Fa0/2, Fa0/3, > > Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/9, Fa0/10 > > Fa0/11, Fa0/12, > > Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/20 > > Fa0/21, Fa0/22, > > Fa0/23, Fa0/24 > > 1002 fddi-default act/unsup > > 1003 token-ring-default act/unsup > > 1004 fddinet-default act/unsup > > 1005 trnet-default act/unsup > > > VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode > > Trans1 Trans2 > > ---- ----- ---------- ----- ------ ------ -------- ---- -------- > > ------ ------ > > 1 enet 100001 1500 - - - - - > > 0 0 > > 1002 fddi 101002 1500 - - - - - > > 0 0 > > 1003 tr 101003 1500 - - - - - > > 0 0 > > 1004 fdnet 101004 1500 - - - ieee - > > 0 0 > > 1005 trnet 101005 1500 - - - ibm - > > 0 0 > > > Remote SPAN VLANs > > ------------------------------------------------------------------------------ > > > It blocked pings from outside to the vlan's ip address but if I pinged > > a computer connected to say fa0/5, it will get a reply. > > That is probably because the packet is coming in on vlan 1, and out of > vlan 1, so the frame never goes through layer 3 inspection. Is this > switch the central router for vlan 1? If not, what is? I would still > recommend putting an ACL on whatever the next hop is towards the > internet or provider, presuming it is a router or firewall. Please > describe how you are connected to the provider w/ equipment and ip > addressing.- Hide quoted text - > > - Show quoted text - Ok. I have a Cisco CAT 2950. This is interfacing with the provider. They connect to port int fa0/5 of the switch. They have some sort of Metro Ethernet into our building. I configured an IP address for the vlan1 of the switch and connect computers to other ports. We use their gateway as the next hop to the Internet.
From: Trendkill on 9 Jan 2008 15:25 On Jan 9, 3:18 pm, John <lilgrasshop...(a)gmail.com> wrote: > On Jan 9, 2:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > On Jan 9, 2:29 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > On Jan 9, 2:18 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > On Jan 9, 2:13 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > On Jan 9, 1:18 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > > On Jan 9, 1:11 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > > On Jan 9, 1:03 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > > > > On Jan 9, 1:00 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > > > > On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > > > > > > > On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > > > > > > Hi all: > > > > > > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > > > > > > > > > > > pings from outside to our internal network. > > > > > > > > > > > > Here is the info on the switch: > > > > > > > > > > > > Cisco Internetwork Operating System Software > > > > > > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > > > > > > > > > > > RELEASE SOFTWARE (fc2) > > > > > > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc. > > > > > > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh > > > > > > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000 > > > > > > > > > > > > Here is the ACL: > > > > > > > > > > > > Extended IP access list 103 > > > > > > > > > > > deny icmp any any echo log-input > > > > > > > > > > > permit ip any any > > > > > > > > > > > > When I tried to apply it, it won't take: > > > > > > > > > > > > Catalyst2950-External#conf term > > > > > > > > > > > Enter configuration commands, one per line. End with CNTL/Z. > > > > > > > > > > > Catalyst2950-External(config)#int fa0/5 > > > > > > > > > > > Catalyst2950-Exter(config-if)#ip access-group ? > > > > > > > > > > > % Unrecognized command > > > > > > > > > > > > Can someone shed some light on this please? > > > > > > > > > > > > Thank you. > > > > > > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that > > > > > > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only > > > > > > > > > > apply an ACL to a vlan interface. Therefore you would to apply it to > > > > > > > > > > the vlan that fa0/5 is in, but be careful as this may block other > > > > > > > > > > ports and traffic. Just guessing here....- Hide quoted text - > > > > > > > > > > > - Show quoted text - > > > > > > > > > > I tend to agree about the vlan info. I was thinking of applying it to > > > > > > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus! > > > > > > > > > > -J. > > > > > > > > > Your ACL would only block icmp, and allow everything else, which looks > > > > > > > > fine. My point was, if you only wanted to block vlan 1 traffic going > > > > > > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would > > > > > > > > apply it to EVERY access-port in that vlan. Therefore if you had > > > > > > > > other icmp that you wanted to allow, then this could end up blocking > > > > > > > > that as well. If fa0/5 is the only port in that vlan that is up, then > > > > > > > > this is a moot point. Else you may want to revise your ACL to block > > > > > > > > specific addresses. Just be careful and realize all traffic coming in/ > > > > > > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text - > > > > > > > > > - Show quoted text - > > > > > > > > What I want to do is prevent a ping flood/attack into our internal > > > > > > > network. That is the goal. > > > > > > > Our provider told us that they saw massive traffic coming from our > > > > > > > network. > > > > > > > It is fine, about blocking ALL ping traffic incoming to all the ports > > > > > > > in the vlan1. > > > > > > > > Comment? and...thanks. > > > > > > > I would recommend putting this on your external router that faces the > > > > > > provider. If this is your 2950, fine, but if not, I would move it out > > > > > > to your external most layer 3 hop. This would not restrict any other > > > > > > pings, except those coming in from the internet or provider cloud.- Hide quoted text - > > > > > > > - Show quoted text - > > > > > > I just applied it to vlan1. When I ping the CAT's IP address, it > > > > > successfully blocked it. However, if I pinged anything connected to > > > > > it, the packets went through with no problem. That's not what I want. > > > > > Oh well. > > > > > > Thanks. > > > > > Well if you want to block all pings in your environment period, apply > > > > the ACL to all vlan interfaces. I thought you just wanted to block > > > > pings to the outside world (ie internet or external networks). If > > > > that is the case, only place that ACL on the vlan/interface to your > > > > provider. This will allow pings inside your network, but not to/from > > > > external hosts. I may have misunderstood your requirements.- Hide quoted text - > > > > > - Show quoted text - > > > > I want to block ALL pings coming from outside to ALL computers > > > inside. > > > > I applied it to the only vlan I have, vlan1. > > > > VLAN Name Status Ports > > > ---- -------------------------------- --------- > > > ------------------------------- > > > 1 default active Fa0/1, Fa0/2, Fa0/3, > > > Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/9, Fa0/10 > > > Fa0/11, Fa0/12, > > > Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/20 > > > Fa0/21, Fa0/22, > > > Fa0/23, Fa0/24 > > > 1002 fddi-default act/unsup > > > 1003 token-ring-default act/unsup > > > 1004 fddinet-default act/unsup > > > 1005 trnet-default act/unsup > > > > VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode > > > Trans1 Trans2 > > > ---- ----- ---------- ----- ------ ------ -------- ---- -------- > > > ------ ------ > > > 1 enet 100001 1500 - - - - - > > > 0 0 > > > 1002 fddi 101002 1500 - - - - - > > > 0 0 > > > 1003 tr 101003 1500 - - - - - > > > 0 0 > > > 1004 fdnet 101004 1500 - - - ieee - > > > 0 0 > > > 1005 trnet 101005 1500 - - - ibm - > > > 0 0 > > > > Remote SPAN VLANs > > > ------------------------------------------------------------------------------ > > > > It blocked pings from outside to the vlan's ip address but if I pinged > > > a computer connected to say fa0/5, it will get a reply. > > > That is probably because the packet is coming in on vlan 1, and out of > > vlan 1, so the frame never goes through layer 3 inspection. Is this > > switch the central router for vlan 1? If not, what is? I would still > > recommend putting an ACL on whatever the next hop is towards the > > internet or provider, presuming it is a router or firewall. Please > > describe how you are connected to the provider w/ equipment and ip > > addressing.- Hide quoted text - > > > - Show quoted text - > > Ok. I have a Cisco CAT 2950. This is interfacing with the provider. > They connect to port int fa0/5 of the switch. They have some sort of > Metro Ethernet into our building. I configured an IP address for the > vlan1 of the switch and connect computers to other ports. We use their > gateway as the next hop to the Internet. And you use the same subnet for all your node IPs as well? So you don't have vlan 1 going to provider, and vlan 2 for all your nodes? Hmmm...k. That is probably why the ACL isn't working, as said before, the switch is not doing anything with the frames coming in if the nodes are in the same vlan as the switch and the upstream router. I'm not sure what your options are here without that functionality. I was figuring the router was yours, or you had multiple vlans, or you were NATing on your own network which would give you a few ways to block traffic. Without those, that switch isn't going to be able to do much filtering. I think those ACLs are for locking down the management interface or snmp pollers, and not much else.
From: pk on 9 Jan 2008 15:52 John wrote: > Ok. I have a Cisco CAT 2950. This is interfacing with the provider. > They connect to port int fa0/5 of the switch. They have some sort of > Metro Ethernet into our building. I configured an IP address for the > vlan1 of the switch and connect computers to other ports. We use their > gateway as the next hop to the Internet. Can't you use a vlan access-map, eg ip access-list extended 103 permit icmp any any echo vlan access-map block-ping 10 match ip address 103 action drop vlan access-map block-ping 20 action forward However, I'm not sure this will do the job or work on a 2950, and it's also entirely possible that I did not understand your question (apologies).
From: pk on 9 Jan 2008 15:55 pk wrote: > ip access-list extended 103 > permit icmp any any echo > > vlan access-map block-ping 10 > match ip address 103 > action drop > > vlan access-map block-ping 20 > action forward Of course, then apply it: vlan filter block-ping vlan-list 1
From: Trendkill on 9 Jan 2008 15:49 On Jan 9, 3:52 pm, pk <p...(a)pk.pk> wrote: > John wrote: > > Ok. I have a Cisco CAT 2950. This is interfacing with the provider. > > They connect to port int fa0/5 of the switch. They have some sort of > > Metro Ethernet into our building. I configured an IP address for the > > vlan1 of the switch and connect computers to other ports. We use their > > gateway as the next hop to the Internet. > > Can't you use a vlan access-map, eg > > ip access-list extended 103 > permit icmp any any echo > > vlan access-map block-ping 10 > match ip address 103 > action drop > > vlan access-map block-ping 20 > action forward > > However, I'm not sure this will do the job or work on a 2950, and it's also > entirely possible that I did not understand your question (apologies). Not sure that will work on a 2950 either. 3550 perhaps, definitely 3560. Definitely worth a try though.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: Cisco 1760 router and VPN client Connection Issues Next: VLAN bridging over GRE tunneling |