[c-nsp] Cisco 2950T-24 ACLs question.
Frank Bulk
frnkblk at iname.com
Mon Oct 9 21:30:23 EDT 2006
I have a lowly Cisco 2950T with the enhanced image in place at the edge of a
BWA network and recently implemented some ACLs on the FastEthernet
interfaces to block some rogue traffic originating from some infected
subscribers.
I first forgot about DHCP, but once I put in the second-last line that
traffic passed through.
Two questions:
a) Does the "access-list 100 permit ip 0.0.0.0 0.0.255.255 any" possibly
permit more than just DHCP requests? With 'ip route' the 0.0.0.0 describes
a global catch-all, and so I'm wondering if I'm blocking anything at all
now.
b) Is there a way to add blocking of UDP ports 137, 139, 445, etc without
generating that annoying "%Error:The field sets of all the ACEs in an ACL
should match" error? I've tried every combination I can think of, without
success. The rules for implementing ACLs on a Cisco 2950T are very
restrictive.
Regards,
Frank
===================
[note: the reason I have /16 reverse mask for all the lines is because one
of the IP addresses in that range has a mgmt interface network with a /16]
access-list 100 permit ip a.b.0.0 0.0.255.255 any
access-list 100 permit ip c.d.0.0 0.0.255.255 any
access-list 100 permit ip e.f.0.0 0.0.255.255 any
access-list 100 permit ip g.h.0.0 0.0.255.255 any
access-list 100 permit ip 0.0.0.0 0.0.255.255 any
access-list 100 deny ip any any
More information about the cisco-nsp
mailing list