[c-nsp] access list on 2950
Roman Bestuzhev
vhelgi at gmail.com
Wed Jun 27 07:18:48 EDT 2007
Hello ALL,
I recently configured IP standard access lists on 2950 switch and found some
things which was strange for me.
Imagine the 2950 switch with a single vlan (vlan 30) configured on it.
Several other switches are connected to 2950' ports. Several workstations
are connected to those other switches and have the following IP settings:
on switch1: 30.30.30.16 - 31/24
on switch2: 30.30.30.32 - 47/24
on switch3: 30.30.30.48 - 63/24
Finally, 2950 is connected to the router which has IP address 30.30.30.1/24.
In order to tie these IP ranges with particular ports on 2950 I do the
following:
#conf t
(config)#access-list 16 permit 30.30.30.16 0.0.0.15
(config)#int fa0/16
(config-if)#ip access-group 16 in
(config-if)#ctrl-z
...
Then I try to check whether my access list works correctly. I assign one PC
connected to port 16 in 2950 with IP address 30.30.30.128/24 and ping
30.30.30.1. Then I see that ping works and router replies to the ping
requests.
Then I rewrite my access list in this way:
#conf t
(config)#no access-list 16
(config)#access-list 16 permit 30.30.30.16 0.0.0.15
(config)#access-list 16 deny any
After this procedure access list works as I wanted: it denies packets from
30.30.30.128 and only passes packets from 30.30.30.16 - 31.
Is this normal behavior or not? I am confused because 2950 manual says that
each access list has implicit deny any statement in the end of the list.
--
Roman Bestuzhev,
System Administrator
More information about the cisco-nsp
mailing list