|
Home > Archive > alt.certification.cisco > March 2004 > ACL's on a layer 2 switch
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
ACL's on a layer 2 switch
|
|
| ju.mobile 2004-03-22, 3:25 pm |
| This is a function I've seen used and working...?
is it a bad thing to do...?
cheers
ju
| |
| Terry Baranski 2004-03-22, 10:25 pm |
| On Mon, 22 Mar 2004 19:42:42 -0000, "ju.mobile"
<ju.mobile@ntlworld.com> wrote:
>This is a function I've seen used and working...?
>
>is it a bad thing to do...?
Not really. One just needs to be sure that the ACLs are configured
correctly. For example, a common mistake is applying an ACL to a
switch's VLAN1 interface and thinking that it will filter switched
traffic. Such an ACL will only filter traffic destined to the switch
itself -- port-based ACLs are required to filter switched traffic.
-Terry
| |
| ju.mobile 2004-03-22, 10:25 pm |
| Hi Terry,
many thanks for that... the function is rudimentry but effective, I'm still
trying to get my head around how an IP ACL works on a layer 2 switch..!
Am I right in thinking it passes it to the router?
EG:
24 port switch 2950, all ports are in VLan1
Port 1 has a sales server 192.168.0.1/24
port 2 has an accounts server 192.168.0.2/24
port 3 - 20 have sales /accounts pc's 192.168.0.??/24
port 21 - 23 have personnel pc's 192.168.0.50-51-52/24
port 24 has the personnel server 192.168.0.53/24
port Gig0/1 has a link to a 2600 router
ports 1 - 20 have an acl applied
access-list 101 deny ip any host 192.168.0.53
access-list 101 deny ip any host 192.168.0.52
access-list 101 deny ip any host 192.168.0.51
access-list 101 deny ip any host 192.168.0.50
access-list 101 permit ip any any
access group 101 in on ports 1 - 20
Because ports 1 - 20 have an ACL applied, when the ip packet arrives at the
switchport or is destined
to one of these switchports is the packet then passed to the router which
discards it due to the acl ?
or would it be discarded as it's a local subnet and therefore the router is
not intrested in it and drops the packet ?
cheers
ju
"Terry Baranski" <tbaranski@mail.REM0VE.com> wrote in message
news:4e6v50lgcr77r6qp875keh7qb
bb92mt1o6@4ax.com...
> On Mon, 22 Mar 2004 19:42:42 -0000, "ju.mobile"
> <ju.mobile@ntlworld.com> wrote:
>
>
> Not really. One just needs to be sure that the ACLs are configured
> correctly. For example, a common mistake is applying an ACL to a
> switch's VLAN1 interface and thinking that it will filter switched
> traffic. Such an ACL will only filter traffic destined to the switch
> itself -- port-based ACLs are required to filter switched traffic.
>
> -Terry
| |
| Terry Baranski 2004-03-23, 9:25 pm |
| On Tue, 23 Mar 2004 02:51:42 -0000, "ju.mobile"
<ju.mobile@ntlworld.com> wrote:
>Hi Terry,
>
>many thanks for that... the function is rudimentry but effective, I'm still
>trying to get my head around how an IP ACL works on a layer 2 switch..!
>
>Am I right in thinking it passes it to the router?
>
>EG:
>
>24 port switch 2950, all ports are in VLan1
>
>Port 1 has a sales server 192.168.0.1/24
>port 2 has an accounts server 192.168.0.2/24
>port 3 - 20 have sales /accounts pc's 192.168.0.??/24
>port 21 - 23 have personnel pc's 192.168.0.50-51-52/24
>port 24 has the personnel server 192.168.0.53/24
>port Gig0/1 has a link to a 2600 router
>
>ports 1 - 20 have an acl applied
>
>access-list 101 deny ip any host 192.168.0.53
>access-list 101 deny ip any host 192.168.0.52
>access-list 101 deny ip any host 192.168.0.51
>access-list 101 deny ip any host 192.168.0.50
>access-list 101 permit ip any any
>access group 101 in on ports 1 - 20
>
>
>Because ports 1 - 20 have an ACL applied, when the ip packet arrives at the
>switchport or is destined
>to one of these switchports is the packet then passed to the router which
>discards it due to the acl ?
>or would it be discarded as it's a local subnet and therefore the router is
>not intrested in it and drops the packet ?
The router would never see these packets since all the hosts are on
the same subnet. Though it may not be intuitive at first, a so-called
"layer-2" switch is perfectly capable of filtering packets based on
layer-3 headers if the manufacturer so desires. The term "layer-2" in
this context only means that the device can't forward packets based on
layer-3 headers; i.e., that it can't route. Packet filtering is a
completely separate operation -- a device's ability to forward packets
based on a given protocol layer's header information doesn't
necessarily coincide with its ability to filter them at this layer.
-Terry
|
|
|
|
|