08-16-2002 09:19 AM - edited 03-02-2019 12:44 AM
I am setting up two Catalyst 3550 switches in a lab to test out. The layout is somple: two switches connected together, with a computer on each switch. I am having problems with my access-lists. What I want to do is to deny all traffic on that port except for the traffic destined for the computer on that switch. The computer is 10.10.10.20. I changed the ip address to 10.10.10.21 and I am still able to ping it and see it through network neighborhood. The command I used to set up the access-list was :
access-list 11 permit host 10.10.10.20
I know I am missing something really simple, so if someone could let me know, that would be really helpful.
TIA,
Rawls Moore
08-16-2002 10:08 AM
Please post the sh ver and sh run from the switch.
08-16-2002 10:35 AM
here is the sh ru:
NOCL3#sh ru
Building configuration...
Current configuration : 1955 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NOCL3
!
enable secret 5 $1$dGl2$EcnIc9e7A10V2QL3iJ67l.
enable password xxxxxxxxxxx
!
clock timezone MST -7
ip subnet-zero
no ip finger
mls qos
!
class-map match-any class7
match access-group 10
!
!
policy-map map7
class class7
police 256000 512000 exceed-action drop
set ip precedence 2
!
!
!
!
!
interface GigabitEthernet0/1
no ip address
snmp trap link-status
!
interface GigabitEthernet0/2
no ip address
shutdown
snmp trap link-status
!
interface GigabitEthernet0/3
no ip address
shutdown
snmp trap link-status
!
interface GigabitEthernet0/4
no ip address
shutdown
snmp trap link-status
!
interface GigabitEthernet0/5
switchport access vlan 5
switchport mode access
no ip address
snmp trap link-status
!
interface GigabitEthernet0/6
switchport access vlan 66
switchport mode access
no ip address
snmp trap link-status
!
interface GigabitEthernet0/7
no ip address
snmp trap link-status
service-policy input map7
!
interface GigabitEthernet0/8
no ip address
shutdown
snmp trap link-status
!
interface GigabitEthernet0/9
no ip address
shutdown
snmp trap link-status
!
interface GigabitEthernet0/10
no ip address
shutdown
snmp trap link-status
!
interface GigabitEthernet0/11
no ip address
shutdown
snmp trap link-status
!
interface GigabitEthernet0/12
no ip address
shutdown
snmp trap link-status
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
!
ip default-gateway 10.10.10.1
ip classless
ip http server
!
access-list 10 permit 10.10.10.20
access-list 10 deny any
snmp-server engineID local 80000009030000087C3CA981
snmp-server community mdellc RO
snmp-server community mtdig RW
snmp-server location Lone Pine Tower
snmp-server contact MDE LLC
!
line con 0
transport input none
line vty 0 4
password xxxxxxxxxx
login
line vty 5 15
password xxxxxxxxxx
login
!
end
08-16-2002 10:54 AM
NOCL3#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(6)EA1, RELEASE SOFTWARE (
fc1)
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Tue 09-Oct-01 21:46 by devgoyal
Image text-base: 0x00003000, data-base: 0x00617E14
ROM: Bootstrap program is C3550 boot loader
NOCL3 uptime is 23 minutes
System returned to ROM by power-on
System image file is "flash:c3550-i5q3l2-mz.121-6.EA1/c3550-i5q3l2-mz.121-6.EA1.
bin"
cisco WS-C3550-12T (PowerPC) processor (revision A0) with 65526K/8192K bytes of
memory.
Processor board ID FAA0551D094
Last reset from warm-reset
Bridging software.
Running Layer2/3 Switching Image
Ethernet-controller 1 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 2 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 3 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 4 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 5 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 6 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 7 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 8 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 9 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 10 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 11 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
Ethernet-controller 12 has 1 Gigabit Ethernet/IEEE 802.3 interfaces
12 Gigabit Ethernet/IEEE 802.3 interface(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 00:08:7C:3C:A9:80
Motherboard assembly number: 73-5527-11
Power supply part number: NONE
Motherboard serial number: FAA0551JWX7
Power supply serial number: DAB054902CK
Model revision number: A0
Model number: WS-C3550-12T
System serial number: FAA0551D094
Configuration register is 0x10F
08-19-2002 08:03 AM
This problem is starting to affect business. Could someone let me know what other information I could provide or any suggestions on what to do?
Thanks,
Rawls
08-19-2002 08:20 AM
It seems like you are missing the ip access group command on the interface vlan as mentioned on this URL
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1219ea1/3550scg/swacl.htm#xtocid17
. Plus you are running the early releases of the software in which case, ACl can cause various problem like reload the box etc. so please upgrade to the latest software.
Hope this helps
08-19-2002 09:02 AM
i followed the instructions but i still get and error. here is a copy of what i did and the reply:
NOCL3(config)#conf t
NOCL3(config)#int Gi0/7
NOCL3(config-if)#ip access-group 10 in
^
% Invalid input detected at '^' marker.
I then did a "?" and I didn't see this command in the list. Is this a problem with the software because I am at too low a level?
thanks for the help,
rawls
08-19-2002 03:50 PM
Type in "no switchport" and then the apply the "ip access-group 10 in"
08-19-2002 05:44 PM
It seems like you are trying to limit the traffic to the same vlan. Like 10.10.10.20 can't access to other workstation on the same vlan.
Are you talking across the vlans or the network or the same network.
08-20-2002 05:15 AM
I'm also experiencing the same problems with ACLs. As soon as I have more than 19 ACL statements, the 3550 crashes. Also, I can only have one ACL on the whole 3550, else it crashes.
Will an upgrade to IOS v12.1(9) solve my woes?
Connie
08-20-2002 05:37 AM
Yes..Upgrade to 12.1(9)EA1c. Look at the following bugs
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdx02995
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdw91280
08-20-2002 10:05 AM
I want to use the ACL so that when traffic comes into the switch it only goes to the correct port. I don't want to waste any bandwidth with the traffic going other ports. To test this I have a vlan set up with two computers, I am then connecting another computer to another port, not in that vlan and I am trying to ping either ip address of the computers that are in the vlan. I don't want any traffic to get across.
08-20-2002 11:25 AM
ACL used for the security rather than controlling the bandwidth, the broadcast and the multicast traffic will still go to all the ports in the same vlans..
Anyway, if you want to restrict the users across the vlans then you need to apply the access list to the int vlan. In your configuration I don't see any other vlans interface. If you don;t have any other vlan interface and just using the port as the routed port, by using the command " no switchport " and put the ip address on the port.
Please send the port numbers on which the devices are attached and if the above is not current config, please post the new config
08-20-2002 01:18 PM
The help from this thread has helped. The switches are up and working. I just had one last question, can an access-list be linked to just an ip address and not a port so that the switch looks at the destination of traffic and then looks at the access-list associated with that ip address?
TIA,
Rawls
08-20-2002 07:09 PM
Access list has to apply to an interface either virtual or the physical to take an affect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide