[c-nsp] access list help
Tim Franklin
tim at pelican.org
Wed Feb 4 11:15:55 EST 2009
On Wed, February 4, 2009 3:04 pm, Deric Kwok wrote:
> I don't understand why I can access http://192.168.0.115 if this
> access-list
> is valid ?
>
> My access list doesn't block www traffic to http://192.168.0.115
> but block telnet / www to switch 192.168.0.118
Is your switch being a *switch* in this case, or a *router*, ie a layer-2
or layer-3 hop?
>From the config you're posting, it looks to me like you're applying the
traffic inbound towards the switch only - vlan1 is a layer-3 interface on
the switch.
Traffic that's being switched between layer-2 ports will never be
processed by that ACL.
What are the interfaces on your switch and their IP addresses?
> I also don't understand about "access-list 120 permit any any"
>
> If I have hundred access lists, I have to put this "permit any any" at the
> end of each of hundred access-list
Yes, if you want each of those ACLs to permit by default. The default
Cisco behaviour is for any traffic not matched at all by an access list to
be denied, ie implicit 'deny any any' at the end of every ACL.
Regards,
Tim.
More information about the cisco-nsp
mailing list