1. Home
  2. Cisco Systems
  3. Cannot apply ACL to fa0/5

Cannot apply ACL to fa0/5

Hi all:

I have a Cisco 2950 and I'm trying to apply a simple ACL to block pings from outside to our internal network.

Here is the info on the switch:

Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c, RELEASE SOFTWARE (fc2) Copyright (c) 1986-2004 by cisco Systems, Inc. Compiled Mon 02-Feb-04 23:29 by yenanh Image text-base: 0x80010000, data-base: 0x8058A000

Here is the ACL:

Extended IP access list 103 deny icmp any any echo log-input permit ip any any

When I tried to apply it, it won't take:

Catalyst2950-External#conf term Enter configuration commands, one per line. End with CNTL/Z. Catalyst2950-External(config)#int fa0/5 Catalyst2950-Exter(config-if)#ip access-group ? % Unrecognized command

Can someone shed some light on this please?

Thank you.

Reply to
John
Loading thread data ...

Not absolutely positive, but I would guess that a 2950 presumes that fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only apply an ACL to a vlan interface. Therefore you would to apply it to the vlan that fa0/5 is in, but be careful as this may block other ports and traffic. Just guessing here....

Reply to
Trendkill

I tend to agree about the vlan info. I was thinking of applying it to vlan1, the default vlan but nervous about it. Help Cisco gurus!

-J.

Reply to
John

Your ACL would only block icmp, and allow everything else, which looks fine. My point was, if you only wanted to block vlan 1 traffic going out or in fa0/5, but you apply the ACL on the VLAN, that it would apply it to EVERY access-port in that vlan. Therefore if you had other icmp that you wanted to allow, then this could end up blocking that as well. If fa0/5 is the only port in that vlan that is up, then this is a moot point. Else you may want to revise your ACL to block specific addresses. Just be careful and realize all traffic coming in/ out of that VLAN will be impacted if you apply it on the vlan.

Reply to
Trendkill

What I want to do is prevent a ping flood/attack into our internal network. That is the goal. Our provider told us that they saw massive traffic coming from our network. It is fine, about blocking ALL ping traffic incoming to all the ports in the vlan1.

Comment? and...thanks.

Reply to
John

I would recommend putting this on your external router that faces the provider. If this is your 2950, fine, but if not, I would move it out to your external most layer 3 hop. This would not restrict any other pings, except those coming in from the internet or provider cloud.

Reply to
Trendkill

I just applied it to vlan1. When I ping the CAT's IP address, it successfully blocked it. However, if I pinged anything connected to it, the packets went through with no problem. That's not what I want. Oh well.

Thanks.

Reply to
John

Well if you want to block all pings in your environment period, apply the ACL to all vlan interfaces. I thought you just wanted to block pings to the outside world (ie internet or external networks). If that is the case, only place that ACL on the vlan/interface to your provider. This will allow pings inside your network, but not to/from external hosts. I may have misunderstood your requirements.

Reply to
Trendkill

de quoted text -

de quoted text -

I want to block ALL pings coming from outside to ALL computers inside.

I applied it to the only vlan I have, vlan1.

VLAN Name Status Ports

---- -------------------------------- ---------

-------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- --------

------ ------

1 enet 100001 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr 101003 1500 - - - - - 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs

----------------------------------------------------------------------------=

Reply to
John

quoted text -

quoted text -

That is probably because the packet is coming in on vlan 1, and out of vlan 1, so the frame never goes through layer 3 inspection. Is this switch the central router for vlan 1? If not, what is? I would still recommend putting an ACL on whatever the next hop is towards the internet or provider, presuming it is a router or firewall. Please describe how you are connected to the provider w/ equipment and ip addressing.

Reply to
Trendkill

o apply it to

- Hide quoted text -

- Hide quoted text -

=A0 =A0Ports

ve =A0 =A0Fa0/1, Fa0/2, Fa0/3,

=A0 =A0 =A0 =A0 =A0 =A0 Fa0/11, Fa0/12,

=A0 =A0 =A0 =A0 =A0 =A0 Fa0/21, Fa0/22,

=A0 =A0 =A0- =A0 =A0-

=A0 =A0- =A0 =A0-

=A0 =A0 =A0- =A0 =A0-

=A0 =A0ibm =A0-

Ok. I have a Cisco CAT 2950. This is interfacing with the provider. They connect to port int fa0/5 of the switch. They have some sort of Metro Ethernet into our building. I configured an IP address for the vlan1 of the switch and connect computers to other ports. We use their gateway as the next hop to the Internet.

Reply to
John

e:

o apply it to

n.- Hide quoted text -

d.- Hide quoted text -

And you use the same subnet for all your node IPs as well? So you don't have vlan 1 going to provider, and vlan 2 for all your nodes? Hmmm...k. That is probably why the ACL isn't working, as said before, the switch is not doing anything with the frames coming in if the nodes are in the same vlan as the switch and the upstream router. I'm not sure what your options are here without that functionality. I was figuring the router was yours, or you had multiple vlans, or you were NATing on your own network which would give you a few ways to block traffic. Without those, that switch isn't going to be able to do much filtering. I think those ACLs are for locking down the management interface or snmp pollers, and not much else.

Reply to
Trendkill

Not sure that will work on a 2950 either. 3550 perhaps, definitely

3560. Definitely worth a try though.
Reply to
Trendkill

Can't you use a vlan access-map, eg

ip access-list extended 103   permit icmp any any echo

vlan access-map block-ping 10 match ip address 103 action drop

vlan access-map block-ping 20 action forward

However, I'm not sure this will do the job or work on a 2950, and it's also entirely possible that I did not understand your question (apologies).

Reply to
pk

Of course, then apply it:

vlan filter block-ping vlan-list 1

Reply to
pk

Quite sure this only works in the emi image.

Reply to
Network Blackjack

Worth a try I might do it on a 2950, not THE 2950 if you know what I mean, to see how it works out. We do have a 3560 and I was able to apply an access-list like that to an interface.

I need some advice:

I got a call from the provider saying they saw massive traffic coming from our network, as a result, our port was turned into blocking mode.

I went to the office, saw on a floor a bunch of computer generating tons of traffic, unplugged them from the network. Installed a software firewall on those computers, installed Ad-adware, ran a scan and the traffic died down. I'm thinking of flood control, storm control but not sure how to proceed.

I will cross my fingers for tonight.

Thanks all though!

Reply to
John

Sounds like you also need to use NAT. Those machines should not be publicly addressed, and that should protect you from a good deal of external threats. It would also keep most of your traffic internal to your network, unless you get some really bad stuff that 'phones home'. All in all, install a real router, turn up NAT and some good ACLs, and use the switch for layer 2 only. Your 3560 can probably do all of this if you vlan it right (not sure on the NAT piece though), but I would consider the above.

Reply to
Trendkill

Hi John,

As Trendkill says you need to apply Layer 3 ACL's to a Layer 3 device such as a router. An ACL numbered 1 - 199 are Layer 3 ACL's. The 2950 is only a Layer 2 switch and you cannot apply Layer 3 ACL's to ANY layer 2 port on that switch. The Layer 3 functionality of the 2950 is ONLY for management purposes of the switch itself, not the traffic it is passing. All traffic passing THROUGH the switch is passed as Layer

2 traffic. I also not that the Switch is a "Flat" switch, IE ALL traffic is in one VLAN.

HOWEVER, I have not tried this but it MAY be possible. See if the 2950 allows you to build a type 700 ACL (this is a Layer 2 MAC ACL), and use something like this (done from memory, will need modifying) -

access-list 701 deny 0.0.0 0.0.0 xxxx

where xxx is the Layer 2 PROTOCOL traffic you are looking for and apply that either - 1. OUTWARDS on the port going to your ISP, or 2. INWARDS on each source port.

This wont work if the Layer 2 protocol is not definitive enough for your needs. Method 1 will allow you to see the affected traffic on the switch, whereas method 2 will not.

Otherwise the only way to do this is to put a Layer 3 ACL on a Layer 3 Device such as a Router.

Good luck..................pk.

Reply to
Peter

formatting link
you require a 2950 running enhanced, not standard to apply to interfaces directly. otherwise you have to apply to vlans.

tested on a 2950-24 vs 2950t-24

John wrote:

Reply to
News

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.