Cannot apply ACL to fa0/5
in [Cisco]
|
From: Network Blackjack on 9 Jan 2008 16:12 John wrote: > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > pings from outside to our internal network. > When I tried to apply it, it won't take: > > Catalyst2950-External#conf term > Enter configuration commands, one per line. End with CNTL/Z. > Catalyst2950-External(config)#int fa0/5 > Catalyst2950-Exter(config-if)#ip access-group ? > % Unrecognized command Quite sure this only works in the emi image.
From: John on 9 Jan 2008 16:17 On Jan 9, 3:49 pm, Trendkill <jpma...(a)gmail.com> wrote: > On Jan 9, 3:52 pm, pk <p...(a)pk.pk> wrote: > > > > > > > John wrote: > > > Ok. I have a Cisco CAT 2950. This is interfacing with the provider. > > > They connect to port int fa0/5 of the switch. They have some sort of > > > Metro Ethernet into our building. I configured an IP address for the > > > vlan1 of the switch and connect computers to other ports. We use their > > > gateway as the next hop to the Internet. > > > Can't you use a vlan access-map, eg > > > ip access-list extended 103 > > permit icmp any any echo > > > vlan access-map block-ping 10 > > match ip address 103 > > action drop > > > vlan access-map block-ping 20 > > action forward > > > However, I'm not sure this will do the job or work on a 2950, and it's also > > entirely possible that I did not understand your question (apologies). > > Not sure that will work on a 2950 either. 3550 perhaps, definitely > 3560. Definitely worth a try though.- Hide quoted text - > > - Show quoted text - Worth a try I might do it on a 2950, not THE 2950 if you know what I mean, to see how it works out. We do have a 3560 and I was able to apply an access-list like that to an interface. I need some advice: I got a call from the provider saying they saw massive traffic coming from our network, as a result, our port was turned into blocking mode. I went to the office, saw on a floor a bunch of computer generating tons of traffic, unplugged them from the network. Installed a software firewall on those computers, installed Ad-adware, ran a scan and the traffic died down. I'm thinking of flood control, storm control but not sure how to proceed. I will cross my fingers for tonight. Thanks all though!
From: Trendkill on 9 Jan 2008 16:21 On Jan 9, 4:17 pm, John <lilgrasshop...(a)gmail.com> wrote: > On Jan 9, 3:49 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > On Jan 9, 3:52 pm, pk <p...(a)pk.pk> wrote: > > > > John wrote: > > > > Ok. I have a Cisco CAT 2950. This is interfacing with the provider. > > > > They connect to port int fa0/5 of the switch. They have some sort of > > > > Metro Ethernet into our building. I configured an IP address for the > > > > vlan1 of the switch and connect computers to other ports. We use their > > > > gateway as the next hop to the Internet. > > > > Can't you use a vlan access-map, eg > > > > ip access-list extended 103 > > > permit icmp any any echo > > > > vlan access-map block-ping 10 > > > match ip address 103 > > > action drop > > > > vlan access-map block-ping 20 > > > action forward > > > > However, I'm not sure this will do the job or work on a 2950, and it's also > > > entirely possible that I did not understand your question (apologies). > > > Not sure that will work on a 2950 either. 3550 perhaps, definitely > > 3560. Definitely worth a try though.- Hide quoted text - > > > - Show quoted text - > > Worth a try I might do it on a 2950, not THE 2950 if you know what I > mean, to see how it works out. > We do have a 3560 and I was able to apply an access-list like that to > an interface. > > I need some advice: > > I got a call from the provider saying they saw massive traffic coming > from our network, as a result, our > port was turned into blocking mode. > > I went to the office, saw on a floor a bunch of computer generating > tons of traffic, unplugged them from > the network. Installed a software firewall on those computers, > installed Ad-adware, ran a scan and > the traffic died down. I'm thinking of flood control, storm control > but not sure how to proceed. > > I will cross my fingers for tonight. > > Thanks all though! Sounds like you also need to use NAT. Those machines should not be publicly addressed, and that should protect you from a good deal of external threats. It would also keep most of your traffic internal to your network, unless you get some really bad stuff that 'phones home'. All in all, install a real router, turn up NAT and some good ACLs, and use the switch for layer 2 only. Your 3560 can probably do all of this if you vlan it right (not sure on the NAT piece though), but I would consider the above.
From: News on 9 Jan 2008 17:03 http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb64.html you require a 2950 running enhanced, not standard to apply to interfaces directly. otherwise you have to apply to vlans. tested on a 2950-24 vs 2950t-24 John wrote: > On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: >> On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: >> >> >> >> >> >>> Hi all: >>> I have a Cisco 2950 and I'm trying to apply a simple ACL to block >>> pings from outside to our internal network. >>> Here is the info on the switch: >>> Cisco Internetwork Operating System Software >>> IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, >>> RELEASE SOFTWARE (fc2) >>> Copyright (c) 1986-2004 by cisco Systems, Inc. >>> Compiled Mon 02-Feb-04 23:29 by yenanh >>> Image text-base: 0x80010000, data-base: 0x8058A000 >>> Here is the ACL: >>> Extended IP access list 103 >>> deny icmp any any echo log-input >>> permit ip any any >>> When I tried to apply it, it won't take: >>> Catalyst2950-External#conf term >>> Enter configuration commands, one per line. End with CNTL/Z. >>> Catalyst2950-External(config)#int fa0/5 >>> Catalyst2950-Exter(config-if)#ip access-group ? >>> % Unrecognized command >>> Can someone shed some light on this please? >>> Thank you. >> Not absolutely positive, but I would guess that a 2950 presumes that >> fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only >> apply an ACL to a vlan interface. Therefore you would to apply it to >> the vlan that fa0/5 is in, but be careful as this may block other >> ports and traffic. Just guessing here....- Hide quoted text - >> >> - Show quoted text - > > I tend to agree about the vlan info. I was thinking of applying it to > vlan1, the default vlan but nervous about it. Help Cisco gurus! > > -J.
First
|
Prev
|
Pages: 1 2 3 4 Prev: Cisco 1760 router and VPN client Connection Issues Next: VLAN bridging over GRE tunneling |