[c-nsp] access list help

Tim Franklin tim at pelican.org
Thu Feb 5 07:45:15 EST 2009


On Wed, February 4, 2009 6:24 pm, Deric Kwok wrote:

>> >Traffic that's being switched between layer-2 ports will never be
>> >processed by that ACL.
>>
>
> You mean my access-list is only for router not switch?

Not so much the ACL, but where you've applied it.

'Interface vlan1' is a layer-3 interface.  Traffic will only go in or out
of this interface if it's going to the IP address of the switch, either
because it's destined to the switch, or because the switch is the IP
next-hop and is going to route (not switch) the traffic on.

Traffic that's being switched between ports at layer-2 only goes in and
out of the physical ports, e.g. fastethernet0/1 - even though they might
be in vlan 1, it doesn't traverse the vlan1 interface.

> In this case, how can I do to not allow www traffic to 192.168.0.115 in
> switch?

I believe you'll need the ACL applied in-bound on every physical port that
could have traffic going towards 192.168.0.115 - so the uplink port, and
any other ports that have devices attached.

> Could you give me examples ACLs to permit by default?

You need a 'permit ip any any' statement at the end of each ACL to permit
by default for that ACL.

This is going to be very important once you start applying the ACL to the
physical ports, as above - if you don't include the 'permit ip any any' at
the end, you'll effectively shut off that port completely.

Regards,
Tim.




More information about the cisco-nsp mailing list