[c-nsp] Cisco 2950T-24 ACLs question.

Frank Bulk frnkblk at iname.com
Wed Oct 11 00:43:31 EDT 2006


Thanks for your response.  

According to the documentation one is supposed to be able to use layer-4
ACLs after layer-3 ACLs, but I wasn't able to come up with a valid
combination,  And only one access list can be applied to an interface, so
I'm somewhat stuck.  I guess I'll have to go without, or upgrade to a switch
that is a bit more flexible.  

Frank

-----Original Message-----
From: Michael K. Smith - Adhost [mailto:mksmith at adhost.com] 
Sent: Tuesday, October 10, 2006 2:01 PM
To: frnkblk at iname.com; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Cisco 2950T-24 ACLs question.

Hello Frank:


Two questions:
a) Does the "access-list 100 permit ip 0.0.0.0 0.0.255.255 any" possibly
permit more than just DHCP requests?  With 'ip route' the 0.0.0.0
Describes a global catch-all, and so I'm wondering if I'm blocking anything
at all
now.

- I think that would match 0.0.0.0 through 255.255.0.0 with the last two
octets having to be 0.0.  So, you might allow a few IP's here and there
if people are using aggregated blocks (216.211.0.0 might actually be in
use, as an example).

b) Is there a way to add blocking of UDP ports 137, 139, 445, etc
Without generating that annoying "%Error:The field sets of all the ACEs in
an
ACL should match" error?  I've tried every combination I can think of,
Without success.  The rules for implementing ACLs on a Cisco 2950T are very
restrictive.

- It's either-or here.  Your ACL statements have to be of a similar type
and even mask length.  So, if you want an ACL that blocks ports, you
have to remove the ACL that blocks IP subnets or hosts.

Mike



More information about the cisco-nsp mailing list