Cannot apply ACL to fa0/5
in [Cisco]
|
From: John on 9 Jan 2008 12:07 Hi all: I have a Cisco 2950 and I'm trying to apply a simple ACL to block pings from outside to our internal network. Here is the info on the switch: Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, RELEASE SOFTWARE (fc2) Copyright (c) 1986-2004 by cisco Systems, Inc. Compiled Mon 02-Feb-04 23:29 by yenanh Image text-base: 0x80010000, data-base: 0x8058A000 Here is the ACL: Extended IP access list 103 deny icmp any any echo log-input permit ip any any When I tried to apply it, it won't take: Catalyst2950-External#conf term Enter configuration commands, one per line. End with CNTL/Z. Catalyst2950-External(config)#int fa0/5 Catalyst2950-Exter(config-if)#ip access-group ? % Unrecognized command Can someone shed some light on this please? Thank you.
From: Trendkill on 9 Jan 2008 12:58 On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > Hi all: > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > pings from outside to our internal network. > > Here is the info on the switch: > > Cisco Internetwork Operating System Software > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > RELEASE SOFTWARE (fc2) > Copyright (c) 1986-2004 by cisco Systems, Inc. > Compiled Mon 02-Feb-04 23:29 by yenanh > Image text-base: 0x80010000, data-base: 0x8058A000 > > Here is the ACL: > > Extended IP access list 103 > deny icmp any any echo log-input > permit ip any any > > When I tried to apply it, it won't take: > > Catalyst2950-External#conf term > Enter configuration commands, one per line. End with CNTL/Z. > Catalyst2950-External(config)#int fa0/5 > Catalyst2950-Exter(config-if)#ip access-group ? > % Unrecognized command > > Can someone shed some light on this please? > > Thank you. Not absolutely positive, but I would guess that a 2950 presumes that fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only apply an ACL to a vlan interface. Therefore you would to apply it to the vlan that fa0/5 is in, but be careful as this may block other ports and traffic. Just guessing here....
From: John on 9 Jan 2008 13:00 On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > Hi all: > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > > pings from outside to our internal network. > > > Here is the info on the switch: > > > Cisco Internetwork Operating System Software > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > > RELEASE SOFTWARE (fc2) > > Copyright (c) 1986-2004 by cisco Systems, Inc. > > Compiled Mon 02-Feb-04 23:29 by yenanh > > Image text-base: 0x80010000, data-base: 0x8058A000 > > > Here is the ACL: > > > Extended IP access list 103 > > deny icmp any any echo log-input > > permit ip any any > > > When I tried to apply it, it won't take: > > > Catalyst2950-External#conf term > > Enter configuration commands, one per line. End with CNTL/Z. > > Catalyst2950-External(config)#int fa0/5 > > Catalyst2950-Exter(config-if)#ip access-group ? > > % Unrecognized command > > > Can someone shed some light on this please? > > > Thank you. > > Not absolutely positive, but I would guess that a 2950 presumes that > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only > apply an ACL to a vlan interface. Therefore you would to apply it to > the vlan that fa0/5 is in, but be careful as this may block other > ports and traffic. Just guessing here....- Hide quoted text - > > - Show quoted text - I tend to agree about the vlan info. I was thinking of applying it to vlan1, the default vlan but nervous about it. Help Cisco gurus! -J.
From: Trendkill on 9 Jan 2008 13:03 On Jan 9, 1:00 pm, John <lilgrasshop...(a)gmail.com> wrote: > On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > > On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > Hi all: > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > > > pings from outside to our internal network. > > > > Here is the info on the switch: > > > > Cisco Internetwork Operating System Software > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > > > RELEASE SOFTWARE (fc2) > > > Copyright (c) 1986-2004 by cisco Systems, Inc. > > > Compiled Mon 02-Feb-04 23:29 by yenanh > > > Image text-base: 0x80010000, data-base: 0x8058A000 > > > > Here is the ACL: > > > > Extended IP access list 103 > > > deny icmp any any echo log-input > > > permit ip any any > > > > When I tried to apply it, it won't take: > > > > Catalyst2950-External#conf term > > > Enter configuration commands, one per line. End with CNTL/Z. > > > Catalyst2950-External(config)#int fa0/5 > > > Catalyst2950-Exter(config-if)#ip access-group ? > > > % Unrecognized command > > > > Can someone shed some light on this please? > > > > Thank you. > > > Not absolutely positive, but I would guess that a 2950 presumes that > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only > > apply an ACL to a vlan interface. Therefore you would to apply it to > > the vlan that fa0/5 is in, but be careful as this may block other > > ports and traffic. Just guessing here....- Hide quoted text - > > > - Show quoted text - > > I tend to agree about the vlan info. I was thinking of applying it to > vlan1, the default vlan but nervous about it. Help Cisco gurus! > > -J. Your ACL would only block icmp, and allow everything else, which looks fine. My point was, if you only wanted to block vlan 1 traffic going out or in fa0/5, but you apply the ACL on the VLAN, that it would apply it to EVERY access-port in that vlan. Therefore if you had other icmp that you wanted to allow, then this could end up blocking that as well. If fa0/5 is the only port in that vlan that is up, then this is a moot point. Else you may want to revise your ACL to block specific addresses. Just be careful and realize all traffic coming in/ out of that VLAN will be impacted if you apply it on the vlan.
From: John on 9 Jan 2008 13:11 On Jan 9, 1:03 pm, Trendkill <jpma...(a)gmail.com> wrote: > On Jan 9, 1:00 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > > > On Jan 9, 12:58 pm, Trendkill <jpma...(a)gmail.com> wrote: > > > > On Jan 9, 12:07 pm, John <lilgrasshop...(a)gmail.com> wrote: > > > > > Hi all: > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block > > > > pings from outside to our internal network. > > > > > Here is the info on the switch: > > > > > Cisco Internetwork Operating System Software > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, > > > > RELEASE SOFTWARE (fc2) > > > > Copyright (c) 1986-2004 by cisco Systems, Inc. > > > > Compiled Mon 02-Feb-04 23:29 by yenanh > > > > Image text-base: 0x80010000, data-base: 0x8058A000 > > > > > Here is the ACL: > > > > > Extended IP access list 103 > > > > deny icmp any any echo log-input > > > > permit ip any any > > > > > When I tried to apply it, it won't take: > > > > > Catalyst2950-External#conf term > > > > Enter configuration commands, one per line. End with CNTL/Z. > > > > Catalyst2950-External(config)#int fa0/5 > > > > Catalyst2950-Exter(config-if)#ip access-group ? > > > > % Unrecognized command > > > > > Can someone shed some light on this please? > > > > > Thank you. > > > > Not absolutely positive, but I would guess that a 2950 presumes that > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only > > > apply an ACL to a vlan interface. Therefore you would to apply it to > > > the vlan that fa0/5 is in, but be careful as this may block other > > > ports and traffic. Just guessing here....- Hide quoted text - > > > > - Show quoted text - > > > I tend to agree about the vlan info. I was thinking of applying it to > > vlan1, the default vlan but nervous about it. Help Cisco gurus! > > > -J. > > Your ACL would only block icmp, and allow everything else, which looks > fine. My point was, if you only wanted to block vlan 1 traffic going > out or in fa0/5, but you apply the ACL on the VLAN, that it would > apply it to EVERY access-port in that vlan. Therefore if you had > other icmp that you wanted to allow, then this could end up blocking > that as well. If fa0/5 is the only port in that vlan that is up, then > this is a moot point. Else you may want to revise your ACL to block > specific addresses. Just be careful and realize all traffic coming in/ > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text - > > - Show quoted text - What I want to do is prevent a ping flood/attack into our internal network. That is the goal. Our provider told us that they saw massive traffic coming from our network. It is fine, about blocking ALL ping traffic incoming to all the ports in the vlan1. Comment? and...thanks.
|
Next
|
Last
Pages: 1 2 3 4 Prev: Cisco 1760 router and VPN client Connection Issues Next: VLAN bridging over GRE tunneling |