Bridge with ACLs ???

It depends upon your platform and IOS version.

Traditionally, bridged interfaces could only have MAC based ACLs and not IP based ACLs.

Some platforms, such as the Catalyst 3750 Multilayer Switch, can have both MAC based ACLs and IP based ACLs on the same interface.

I cannot determine your platform from what you posted. I can tell, though, that you are -not- using the Catalyst 2950/ 2960/ 2970/

A couple of weeks ago, I happened to encounter a newer IOS feature that might perhaps be of use to you. Unfortunately I did not keep track of the details, as I do not have appropriate equipment. The feature was configured very much like route-maps, except that the maps that were being constructed could contain MAC filters as well as IP filters.

There may also be other possibilities with newer IOS versions, involving features related to "layer 2 transparent firewalls". (It could well be that the feature I'm referring to above was the method for configuring layer 2 transparent filters.)

I presume that you are looking for layer 3 ACLs here. Do you want to apply the ACL only for traffic that gets routed across bridge groups or do you also want to also have these ACLs applied for traffic that stays within a bridge group?

If it is the former, try applying the ACL on the BVI interface since that is the virtual interface that is used to route all traffic from the bridge group onto other subnets. OTOH if you are trying to do the latter, then note that bridging is a layer 2 activity and so layer 3 ACLs cannot have any effect on traffic that stays within the bridge group because conceptually the bridge will not even look at layer 3 information for those frames, let alone filter on that basis.

Cisco da Gama

I presume that you are looking for layer 3 ACLs here. Do you want to apply the ACL only for traffic that gets routed across bridge groups or do you also want to also have these ACLs applied for traffic that stays within a bridge group?

If it is the former, try applying the ACL on the BVI interface since that is the virtual interface that is used to route all traffic from the bridge group onto other subnets. OTOH if you are trying to do the latter, then note that bridging is a layer 2 activity and so layer 3 ACLs cannot have any effect on traffic that stays within the bridge group because conceptually the bridge will not even look at layer 3 information for those frames, let alone filter on that basis.

Cisco da Gama

U=BFytkownik snipped-for-privacy@gmail.com napisa=B3:

In subnet A(/24bit) I've machine, which is a proxy to subnet B. I'd like =

to filter traffic between subnet A and proxy. The routing in subent A is =

out of my control, so I cannot just add router based firewall. The bridge with ACLs would be the best solution, but as I see it is not=20 possible. In mean time I've get idea to do it with proxy-arp, by=20 defining two subnets (/30bit) on both sides of router. Do you thing that =

this will work ?

Jarek.

Hi Jarek,

Yes, but HOW you do it depends on 3 main things - The Platform you are using, The IOS you are using, The TYPE of ACL you want to use. By TYPE I mean either a Layer 2 ACL or a Layer 3 ACL.

This doesn't work, because ACL 101 is a Layer 3 ACL and in BRIDGE mode the interface can only accept Layer 2 ACL's (EG 7xx series). Also check the docs on HOW one adds an ACL to a Bridged interface, the command format is slightly different to what you might expect.

However you can put your Layer 3 ACLs on the BVI, because thats the Layer 3 representation of the bridge.

Cheers..............pk.

Proxy ARP can do the trick:

See an old post by me:

I looked at that post, but you appear to lose the bridge-group when you implement that. Compare the configuration of Ethernet0/0 before and afterwards.

Really all that configuration does is route IP in a fairly typical way. But notice that that is *IP*, and that is *routing*. If you have non-IP, the configuration you showed will not work. If you have a broadcast packet, or a multicast packet with TTL of 1 (typical) then the configuration you showed there will not pass the packet on.