Cannot apply ACL to fa0/5

Discussion in 'Cisco' started by John, Jan 9, 2008.

  1. John

    John Guest

    Hi all:

    I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    pings from outside to our internal network.

    Here is the info on the switch:

    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    RELEASE SOFTWARE (fc2)
    Copyright (c) 1986-2004 by cisco Systems, Inc.
    Compiled Mon 02-Feb-04 23:29 by yenanh
    Image text-base: 0x80010000, data-base: 0x8058A000

    Here is the ACL:

    Extended IP access list 103
    deny icmp any any echo log-input
    permit ip any any

    When I tried to apply it, it won't take:

    Catalyst2950-External#conf term
    Enter configuration commands, one per line. End with CNTL/Z.
    Catalyst2950-External(config)#int fa0/5
    Catalyst2950-Exter(config-if)#ip access-group ?
    % Unrecognized command


    Can someone shed some light on this please?

    Thank you.
     
    John, Jan 9, 2008
    #1
    1. Advertising

  2. John

    Trendkill Guest

    On Jan 9, 12:07 pm, John <> wrote:
    > Hi all:
    >
    > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > pings from outside to our internal network.
    >
    > Here is the info on the switch:
    >
    > Cisco Internetwork Operating System Software
    > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > RELEASE SOFTWARE (fc2)
    > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > Compiled Mon 02-Feb-04 23:29 by yenanh
    > Image text-base: 0x80010000, data-base: 0x8058A000
    >
    > Here is the ACL:
    >
    > Extended IP access list 103
    > deny icmp any any echo log-input
    > permit ip any any
    >
    > When I tried to apply it, it won't take:
    >
    > Catalyst2950-External#conf term
    > Enter configuration commands, one per line. End with CNTL/Z.
    > Catalyst2950-External(config)#int fa0/5
    > Catalyst2950-Exter(config-if)#ip access-group ?
    > % Unrecognized command
    >
    > Can someone shed some light on this please?
    >
    > Thank you.


    Not absolutely positive, but I would guess that a 2950 presumes that
    fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    apply an ACL to a vlan interface. Therefore you would to apply it to
    the vlan that fa0/5 is in, but be careful as this may block other
    ports and traffic. Just guessing here....
     
    Trendkill, Jan 9, 2008
    #2
    1. Advertising

  3. John

    John Guest

    On Jan 9, 12:58 pm, Trendkill <> wrote:
    > On Jan 9, 12:07 pm, John <> wrote:
    >
    >
    >
    >
    >
    > > Hi all:

    >
    > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > > pings from outside to our internal network.

    >
    > > Here is the info on the switch:

    >
    > > Cisco Internetwork Operating System Software
    > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > > RELEASE SOFTWARE (fc2)
    > > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > > Compiled Mon 02-Feb-04 23:29 by yenanh
    > > Image text-base: 0x80010000, data-base: 0x8058A000

    >
    > > Here is the ACL:

    >
    > > Extended IP access list 103
    > >     deny icmp any any echo log-input
    > >     permit ip any any

    >
    > > When I tried to apply it, it won't take:

    >
    > > Catalyst2950-External#conf term
    > > Enter configuration commands, one per line.  End with CNTL/Z.
    > > Catalyst2950-External(config)#int fa0/5
    > > Catalyst2950-Exter(config-if)#ip access-group ?
    > > % Unrecognized command

    >
    > > Can someone shed some light on this please?

    >
    > > Thank you.

    >
    > Not absolutely positive, but I would guess that a 2950 presumes that
    > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    > apply an ACL to a vlan interface.  Therefore you would to apply it to
    > the vlan that fa0/5 is in, but be careful as this may block other
    > ports and traffic.  Just guessing here....- Hide quoted text -
    >
    > - Show quoted text -


    I tend to agree about the vlan info. I was thinking of applying it to
    vlan1, the default vlan but nervous about it. Help Cisco gurus!

    -J.
     
    John, Jan 9, 2008
    #3
  4. John

    Trendkill Guest

    On Jan 9, 1:00 pm, John <> wrote:
    > On Jan 9, 12:58 pm, Trendkill <> wrote:
    >
    >
    >
    > > On Jan 9, 12:07 pm, John <> wrote:

    >
    > > > Hi all:

    >
    > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > > > pings from outside to our internal network.

    >
    > > > Here is the info on the switch:

    >
    > > > Cisco Internetwork Operating System Software
    > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > > > RELEASE SOFTWARE (fc2)
    > > > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > > > Compiled Mon 02-Feb-04 23:29 by yenanh
    > > > Image text-base: 0x80010000, data-base: 0x8058A000

    >
    > > > Here is the ACL:

    >
    > > > Extended IP access list 103
    > > > deny icmp any any echo log-input
    > > > permit ip any any

    >
    > > > When I tried to apply it, it won't take:

    >
    > > > Catalyst2950-External#conf term
    > > > Enter configuration commands, one per line. End with CNTL/Z.
    > > > Catalyst2950-External(config)#int fa0/5
    > > > Catalyst2950-Exter(config-if)#ip access-group ?
    > > > % Unrecognized command

    >
    > > > Can someone shed some light on this please?

    >
    > > > Thank you.

    >
    > > Not absolutely positive, but I would guess that a 2950 presumes that
    > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    > > apply an ACL to a vlan interface. Therefore you would to apply it to
    > > the vlan that fa0/5 is in, but be careful as this may block other
    > > ports and traffic. Just guessing here....- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > I tend to agree about the vlan info. I was thinking of applying it to
    > vlan1, the default vlan but nervous about it. Help Cisco gurus!
    >
    > -J.


    Your ACL would only block icmp, and allow everything else, which looks
    fine. My point was, if you only wanted to block vlan 1 traffic going
    out or in fa0/5, but you apply the ACL on the VLAN, that it would
    apply it to EVERY access-port in that vlan. Therefore if you had
    other icmp that you wanted to allow, then this could end up blocking
    that as well. If fa0/5 is the only port in that vlan that is up, then
    this is a moot point. Else you may want to revise your ACL to block
    specific addresses. Just be careful and realize all traffic coming in/
    out of that VLAN will be impacted if you apply it on the vlan.
     
    Trendkill, Jan 9, 2008
    #4
  5. John

    John Guest

    On Jan 9, 1:03 pm, Trendkill <> wrote:
    > On Jan 9, 1:00 pm, John <> wrote:
    >
    >
    >
    >
    >
    > > On Jan 9, 12:58 pm, Trendkill <> wrote:

    >
    > > > On Jan 9, 12:07 pm, John <> wrote:

    >
    > > > > Hi all:

    >
    > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > > > > pings from outside to our internal network.

    >
    > > > > Here is the info on the switch:

    >
    > > > > Cisco Internetwork Operating System Software
    > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > > > > RELEASE SOFTWARE (fc2)
    > > > > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > > > > Compiled Mon 02-Feb-04 23:29 by yenanh
    > > > > Image text-base: 0x80010000, data-base: 0x8058A000

    >
    > > > > Here is the ACL:

    >
    > > > > Extended IP access list 103
    > > > >     deny icmp any any echo log-input
    > > > >     permit ip any any

    >
    > > > > When I tried to apply it, it won't take:

    >
    > > > > Catalyst2950-External#conf term
    > > > > Enter configuration commands, one per line.  End with CNTL/Z.
    > > > > Catalyst2950-External(config)#int fa0/5
    > > > > Catalyst2950-Exter(config-if)#ip access-group ?
    > > > > % Unrecognized command

    >
    > > > > Can someone shed some light on this please?

    >
    > > > > Thank you.

    >
    > > > Not absolutely positive, but I would guess that a 2950 presumes that
    > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    > > > apply an ACL to a vlan interface.  Therefore you would to apply it to
    > > > the vlan that fa0/5 is in, but be careful as this may block other
    > > > ports and traffic.  Just guessing here....- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > I tend to agree about the vlan info. I was thinking of applying it to
    > > vlan1, the default vlan but nervous about it. Help Cisco gurus!

    >
    > > -J.

    >
    > Your ACL would only block icmp, and allow everything else, which looks
    > fine.  My point was, if you only wanted to block vlan 1 traffic going
    > out or in fa0/5, but you apply the ACL on the VLAN, that it would
    > apply it to EVERY access-port in that vlan.  Therefore if you had
    > other icmp that you wanted to allow, then this could end up blocking
    > that as well.  If fa0/5 is the only port in that vlan that is up, then
    > this is a moot point.  Else you may want to revise your ACL to block
    > specific addresses.  Just be careful and realize all traffic coming in/
    > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text -
    >
    > - Show quoted text -


    What I want to do is prevent a ping flood/attack into our internal
    network. That is the goal.
    Our provider told us that they saw massive traffic coming from our
    network.
    It is fine, about blocking ALL ping traffic incoming to all the ports
    in the vlan1.

    Comment? and...thanks.
     
    John, Jan 9, 2008
    #5
  6. John

    Trendkill Guest

    On Jan 9, 1:11 pm, John <> wrote:
    > On Jan 9, 1:03 pm, Trendkill <> wrote:
    >
    >
    >
    > > On Jan 9, 1:00 pm, John <> wrote:

    >
    > > > On Jan 9, 12:58 pm, Trendkill <> wrote:

    >
    > > > > On Jan 9, 12:07 pm, John <> wrote:

    >
    > > > > > Hi all:

    >
    > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > > > > > pings from outside to our internal network.

    >
    > > > > > Here is the info on the switch:

    >
    > > > > > Cisco Internetwork Operating System Software
    > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > > > > > RELEASE SOFTWARE (fc2)
    > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh
    > > > > > Image text-base: 0x80010000, data-base: 0x8058A000

    >
    > > > > > Here is the ACL:

    >
    > > > > > Extended IP access list 103
    > > > > > deny icmp any any echo log-input
    > > > > > permit ip any any

    >
    > > > > > When I tried to apply it, it won't take:

    >
    > > > > > Catalyst2950-External#conf term
    > > > > > Enter configuration commands, one per line. End with CNTL/Z.
    > > > > > Catalyst2950-External(config)#int fa0/5
    > > > > > Catalyst2950-Exter(config-if)#ip access-group ?
    > > > > > % Unrecognized command

    >
    > > > > > Can someone shed some light on this please?

    >
    > > > > > Thank you.

    >
    > > > > Not absolutely positive, but I would guess that a 2950 presumes that
    > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    > > > > apply an ACL to a vlan interface. Therefore you would to apply it to
    > > > > the vlan that fa0/5 is in, but be careful as this may block other
    > > > > ports and traffic. Just guessing here....- Hide quoted text -

    >
    > > > > - Show quoted text -

    >
    > > > I tend to agree about the vlan info. I was thinking of applying it to
    > > > vlan1, the default vlan but nervous about it. Help Cisco gurus!

    >
    > > > -J.

    >
    > > Your ACL would only block icmp, and allow everything else, which looks
    > > fine. My point was, if you only wanted to block vlan 1 traffic going
    > > out or in fa0/5, but you apply the ACL on the VLAN, that it would
    > > apply it to EVERY access-port in that vlan. Therefore if you had
    > > other icmp that you wanted to allow, then this could end up blocking
    > > that as well. If fa0/5 is the only port in that vlan that is up, then
    > > this is a moot point. Else you may want to revise your ACL to block
    > > specific addresses. Just be careful and realize all traffic coming in/
    > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > What I want to do is prevent a ping flood/attack into our internal
    > network. That is the goal.
    > Our provider told us that they saw massive traffic coming from our
    > network.
    > It is fine, about blocking ALL ping traffic incoming to all the ports
    > in the vlan1.
    >
    > Comment? and...thanks.


    I would recommend putting this on your external router that faces the
    provider. If this is your 2950, fine, but if not, I would move it out
    to your external most layer 3 hop. This would not restrict any other
    pings, except those coming in from the internet or provider cloud.
     
    Trendkill, Jan 9, 2008
    #6
  7. John

    John Guest

    On Jan 9, 1:18 pm, Trendkill <> wrote:
    > On Jan 9, 1:11 pm, John <> wrote:
    >
    >
    >
    >
    >
    > > On Jan 9, 1:03 pm, Trendkill <> wrote:

    >
    > > > On Jan 9, 1:00 pm, John <> wrote:

    >
    > > > > On Jan 9, 12:58 pm, Trendkill <> wrote:

    >
    > > > > > On Jan 9, 12:07 pm, John <> wrote:

    >
    > > > > > > Hi all:

    >
    > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > > > > > > pings from outside to our internal network.

    >
    > > > > > > Here is the info on the switch:

    >
    > > > > > > Cisco Internetwork Operating System Software
    > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > > > > > > RELEASE SOFTWARE (fc2)
    > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh
    > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000

    >
    > > > > > > Here is the ACL:

    >
    > > > > > > Extended IP access list 103
    > > > > > >     deny icmp any any echo log-input
    > > > > > >     permit ip any any

    >
    > > > > > > When I tried to apply it, it won't take:

    >
    > > > > > > Catalyst2950-External#conf term
    > > > > > > Enter configuration commands, one per line.  End with CNTL/Z.
    > > > > > > Catalyst2950-External(config)#int fa0/5
    > > > > > > Catalyst2950-Exter(config-if)#ip access-group ?
    > > > > > > % Unrecognized command

    >
    > > > > > > Can someone shed some light on this please?

    >
    > > > > > > Thank you.

    >
    > > > > > Not absolutely positive, but I would guess that a 2950 presumes that
    > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    > > > > > apply an ACL to a vlan interface.  Therefore you would to apply it to
    > > > > > the vlan that fa0/5 is in, but be careful as this may block other
    > > > > > ports and traffic.  Just guessing here....- Hide quoted text -

    >
    > > > > > - Show quoted text -

    >
    > > > > I tend to agree about the vlan info. I was thinking of applying it to
    > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus!

    >
    > > > > -J.

    >
    > > > Your ACL would only block icmp, and allow everything else, which looks
    > > > fine.  My point was, if you only wanted to block vlan 1 traffic going
    > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would
    > > > apply it to EVERY access-port in that vlan.  Therefore if you had
    > > > other icmp that you wanted to allow, then this could end up blocking
    > > > that as well.  If fa0/5 is the only port in that vlan that is up, then
    > > > this is a moot point.  Else you may want to revise your ACL to block
    > > > specific addresses.  Just be careful and realize all traffic coming in/
    > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > What I want to do is prevent a ping flood/attack into our internal
    > > network. That is the goal.
    > > Our provider told us that they saw massive traffic coming from our
    > > network.
    > > It is fine, about blocking ALL ping traffic incoming to all the ports
    > > in the vlan1.

    >
    > > Comment?  and...thanks.

    >
    > I would recommend putting this on your external router that faces the
    > provider.  If this is your 2950, fine, but if not, I would move it out
    > to your external most layer 3 hop.  This would not restrict any other
    > pings, except those coming in from the internet or provider cloud.- Hide quoted text -
    >
    > - Show quoted text -


    I just applied it to vlan1. When I ping the CAT's IP address, it
    successfully blocked it. However, if I pinged anything connected to
    it, the packets went through with no problem. That's not what I want.
    Oh well.

    Thanks.
     
    John, Jan 9, 2008
    #7
  8. John

    Trendkill Guest

    On Jan 9, 2:13 pm, John <> wrote:
    > On Jan 9, 1:18 pm, Trendkill <> wrote:
    >
    >
    >
    > > On Jan 9, 1:11 pm, John <> wrote:

    >
    > > > On Jan 9, 1:03 pm, Trendkill <> wrote:

    >
    > > > > On Jan 9, 1:00 pm, John <> wrote:

    >
    > > > > > On Jan 9, 12:58 pm, Trendkill <> wrote:

    >
    > > > > > > On Jan 9, 12:07 pm, John <> wrote:

    >
    > > > > > > > Hi all:

    >
    > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > > > > > > > pings from outside to our internal network.

    >
    > > > > > > > Here is the info on the switch:

    >
    > > > > > > > Cisco Internetwork Operating System Software
    > > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > > > > > > > RELEASE SOFTWARE (fc2)
    > > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh
    > > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000

    >
    > > > > > > > Here is the ACL:

    >
    > > > > > > > Extended IP access list 103
    > > > > > > > deny icmp any any echo log-input
    > > > > > > > permit ip any any

    >
    > > > > > > > When I tried to apply it, it won't take:

    >
    > > > > > > > Catalyst2950-External#conf term
    > > > > > > > Enter configuration commands, one per line. End with CNTL/Z.
    > > > > > > > Catalyst2950-External(config)#int fa0/5
    > > > > > > > Catalyst2950-Exter(config-if)#ip access-group ?
    > > > > > > > % Unrecognized command

    >
    > > > > > > > Can someone shed some light on this please?

    >
    > > > > > > > Thank you.

    >
    > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that
    > > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    > > > > > > apply an ACL to a vlan interface. Therefore you would to apply it to
    > > > > > > the vlan that fa0/5 is in, but be careful as this may block other
    > > > > > > ports and traffic. Just guessing here....- Hide quoted text -

    >
    > > > > > > - Show quoted text -

    >
    > > > > > I tend to agree about the vlan info. I was thinking of applying it to
    > > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus!

    >
    > > > > > -J.

    >
    > > > > Your ACL would only block icmp, and allow everything else, which looks
    > > > > fine. My point was, if you only wanted to block vlan 1 traffic going
    > > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would
    > > > > apply it to EVERY access-port in that vlan. Therefore if you had
    > > > > other icmp that you wanted to allow, then this could end up blocking
    > > > > that as well. If fa0/5 is the only port in that vlan that is up, then
    > > > > this is a moot point. Else you may want to revise your ACL to block
    > > > > specific addresses. Just be careful and realize all traffic coming in/
    > > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text -

    >
    > > > > - Show quoted text -

    >
    > > > What I want to do is prevent a ping flood/attack into our internal
    > > > network. That is the goal.
    > > > Our provider told us that they saw massive traffic coming from our
    > > > network.
    > > > It is fine, about blocking ALL ping traffic incoming to all the ports
    > > > in the vlan1.

    >
    > > > Comment? and...thanks.

    >
    > > I would recommend putting this on your external router that faces the
    > > provider. If this is your 2950, fine, but if not, I would move it out
    > > to your external most layer 3 hop. This would not restrict any other
    > > pings, except those coming in from the internet or provider cloud.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > I just applied it to vlan1. When I ping the CAT's IP address, it
    > successfully blocked it. However, if I pinged anything connected to
    > it, the packets went through with no problem. That's not what I want.
    > Oh well.
    >
    > Thanks.


    Well if you want to block all pings in your environment period, apply
    the ACL to all vlan interfaces. I thought you just wanted to block
    pings to the outside world (ie internet or external networks). If
    that is the case, only place that ACL on the vlan/interface to your
    provider. This will allow pings inside your network, but not to/from
    external hosts. I may have misunderstood your requirements.
     
    Trendkill, Jan 9, 2008
    #8
  9. John

    John Guest

    On Jan 9, 2:18 pm, Trendkill <> wrote:
    > On Jan 9, 2:13 pm, John <> wrote:
    >
    >
    >
    >
    >
    > > On Jan 9, 1:18 pm, Trendkill <> wrote:

    >
    > > > On Jan 9, 1:11 pm, John <> wrote:

    >
    > > > > On Jan 9, 1:03 pm, Trendkill <> wrote:

    >
    > > > > > On Jan 9, 1:00 pm, John <> wrote:

    >
    > > > > > > On Jan 9, 12:58 pm, Trendkill <> wrote:

    >
    > > > > > > > On Jan 9, 12:07 pm, John <> wrote:

    >
    > > > > > > > > Hi all:

    >
    > > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > > > > > > > > pings from outside to our internal network.

    >
    > > > > > > > > Here is the info on the switch:

    >
    > > > > > > > > Cisco Internetwork Operating System Software
    > > > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > > > > > > > > RELEASE SOFTWARE (fc2)
    > > > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > > > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh
    > > > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000

    >
    > > > > > > > > Here is the ACL:

    >
    > > > > > > > > Extended IP access list 103
    > > > > > > > >     deny icmp any any echo log-input
    > > > > > > > >     permit ip any any

    >
    > > > > > > > > When I tried to apply it, it won't take:

    >
    > > > > > > > > Catalyst2950-External#conf term
    > > > > > > > > Enter configuration commands, one per line.  End with CNTL/Z.
    > > > > > > > > Catalyst2950-External(config)#int fa0/5
    > > > > > > > > Catalyst2950-Exter(config-if)#ip access-group ?
    > > > > > > > > % Unrecognized command

    >
    > > > > > > > > Can someone shed some light on this please?

    >
    > > > > > > > > Thank you.

    >
    > > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that
    > > > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    > > > > > > > apply an ACL to a vlan interface.  Therefore you would to apply it to
    > > > > > > > the vlan that fa0/5 is in, but be careful as this may block other
    > > > > > > > ports and traffic.  Just guessing here....- Hide quoted text -

    >
    > > > > > > > - Show quoted text -

    >
    > > > > > > I tend to agree about the vlan info. I was thinking of applying it to
    > > > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus!

    >
    > > > > > > -J.

    >
    > > > > > Your ACL would only block icmp, and allow everything else, which looks
    > > > > > fine.  My point was, if you only wanted to block vlan 1 traffic going
    > > > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would
    > > > > > apply it to EVERY access-port in that vlan.  Therefore if you had
    > > > > > other icmp that you wanted to allow, then this could end up blocking
    > > > > > that as well.  If fa0/5 is the only port in that vlan that is up, then
    > > > > > this is a moot point.  Else you may want to revise your ACL to block
    > > > > > specific addresses.  Just be careful and realize all traffic coming in/
    > > > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text -

    >
    > > > > > - Show quoted text -

    >
    > > > > What I want to do is prevent a ping flood/attack into our internal
    > > > > network. That is the goal.
    > > > > Our provider told us that they saw massive traffic coming from our
    > > > > network.
    > > > > It is fine, about blocking ALL ping traffic incoming to all the ports
    > > > > in the vlan1.

    >
    > > > > Comment?  and...thanks.

    >
    > > > I would recommend putting this on your external router that faces the
    > > > provider.  If this is your 2950, fine, but if not, I would move it out
    > > > to your external most layer 3 hop.  This would not restrict any other
    > > > pings, except those coming in from the internet or provider cloud.- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > I just applied it to vlan1. When I ping the CAT's IP address, it
    > > successfully blocked it. However, if I pinged anything connected to
    > > it, the packets went through with no problem. That's not what I want.
    > > Oh well.

    >
    > > Thanks.

    >
    > Well if you want to block all pings in your environment period, apply
    > the ACL to all vlan interfaces.  I thought you just wanted to block
    > pings to the outside world (ie internet or external networks).  If
    > that is the case, only place that ACL on the vlan/interface to your
    > provider.  This will allow pings inside your network, but not to/from
    > external hosts.  I may have misunderstood your requirements.- Hide quoted text -
    >
    > - Show quoted text -


    I want to block ALL pings coming from outside to ALL computers
    inside.

    I applied it to the only vlan I have, vlan1.

    VLAN Name Status Ports
    ---- -------------------------------- ---------
    -------------------------------
    1 default active Fa0/1, Fa0/2, Fa0/3,
    Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/9, Fa0/10
    Fa0/11, Fa0/12,
    Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/20
    Fa0/21, Fa0/22,
    Fa0/23, Fa0/24
    1002 fddi-default act/unsup
    1003 token-ring-default act/unsup
    1004 fddinet-default act/unsup
    1005 trnet-default act/unsup

    VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
    Trans1 Trans2
    ---- ----- ---------- ----- ------ ------ -------- ---- --------
    ------ ------
    1 enet 100001 1500 - - - - -
    0 0
    1002 fddi 101002 1500 - - - - -
    0 0
    1003 tr 101003 1500 - - - - -
    0 0
    1004 fdnet 101004 1500 - - - ieee -
    0 0
    1005 trnet 101005 1500 - - - ibm -
    0 0

    Remote SPAN VLANs
    ------------------------------------------------------------------------------

    It blocked pings from outside to the vlan's ip address but if I pinged
    a computer connected to say fa0/5, it will get a reply.
     
    John, Jan 9, 2008
    #9
  10. John

    Trendkill Guest

    On Jan 9, 2:29 pm, John <> wrote:
    > On Jan 9, 2:18 pm, Trendkill <> wrote:
    >
    >
    >
    > > On Jan 9, 2:13 pm, John <> wrote:

    >
    > > > On Jan 9, 1:18 pm, Trendkill <> wrote:

    >
    > > > > On Jan 9, 1:11 pm, John <> wrote:

    >
    > > > > > On Jan 9, 1:03 pm, Trendkill <> wrote:

    >
    > > > > > > On Jan 9, 1:00 pm, John <> wrote:

    >
    > > > > > > > On Jan 9, 12:58 pm, Trendkill <> wrote:

    >
    > > > > > > > > On Jan 9, 12:07 pm, John <> wrote:

    >
    > > > > > > > > > Hi all:

    >
    > > > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > > > > > > > > > pings from outside to our internal network.

    >
    > > > > > > > > > Here is the info on the switch:

    >
    > > > > > > > > > Cisco Internetwork Operating System Software
    > > > > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > > > > > > > > > RELEASE SOFTWARE (fc2)
    > > > > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > > > > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh
    > > > > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000

    >
    > > > > > > > > > Here is the ACL:

    >
    > > > > > > > > > Extended IP access list 103
    > > > > > > > > > deny icmp any any echo log-input
    > > > > > > > > > permit ip any any

    >
    > > > > > > > > > When I tried to apply it, it won't take:

    >
    > > > > > > > > > Catalyst2950-External#conf term
    > > > > > > > > > Enter configuration commands, one per line. End with CNTL/Z.
    > > > > > > > > > Catalyst2950-External(config)#int fa0/5
    > > > > > > > > > Catalyst2950-Exter(config-if)#ip access-group ?
    > > > > > > > > > % Unrecognized command

    >
    > > > > > > > > > Can someone shed some light on this please?

    >
    > > > > > > > > > Thank you.

    >
    > > > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that
    > > > > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    > > > > > > > > apply an ACL to a vlan interface. Therefore you would to apply it to
    > > > > > > > > the vlan that fa0/5 is in, but be careful as this may block other
    > > > > > > > > ports and traffic. Just guessing here....- Hide quoted text -

    >
    > > > > > > > > - Show quoted text -

    >
    > > > > > > > I tend to agree about the vlan info. I was thinking of applying it to
    > > > > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus!

    >
    > > > > > > > -J.

    >
    > > > > > > Your ACL would only block icmp, and allow everything else, which looks
    > > > > > > fine. My point was, if you only wanted to block vlan 1 traffic going
    > > > > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would
    > > > > > > apply it to EVERY access-port in that vlan. Therefore if you had
    > > > > > > other icmp that you wanted to allow, then this could end up blocking
    > > > > > > that as well. If fa0/5 is the only port in that vlan that is up, then
    > > > > > > this is a moot point. Else you may want to revise your ACL to block
    > > > > > > specific addresses. Just be careful and realize all traffic coming in/
    > > > > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text -

    >
    > > > > > > - Show quoted text -

    >
    > > > > > What I want to do is prevent a ping flood/attack into our internal
    > > > > > network. That is the goal.
    > > > > > Our provider told us that they saw massive traffic coming from our
    > > > > > network.
    > > > > > It is fine, about blocking ALL ping traffic incoming to all the ports
    > > > > > in the vlan1.

    >
    > > > > > Comment? and...thanks.

    >
    > > > > I would recommend putting this on your external router that faces the
    > > > > provider. If this is your 2950, fine, but if not, I would move it out
    > > > > to your external most layer 3 hop. This would not restrict any other
    > > > > pings, except those coming in from the internet or provider cloud.- Hide quoted text -

    >
    > > > > - Show quoted text -

    >
    > > > I just applied it to vlan1. When I ping the CAT's IP address, it
    > > > successfully blocked it. However, if I pinged anything connected to
    > > > it, the packets went through with no problem. That's not what I want.
    > > > Oh well.

    >
    > > > Thanks.

    >
    > > Well if you want to block all pings in your environment period, apply
    > > the ACL to all vlan interfaces. I thought you just wanted to block
    > > pings to the outside world (ie internet or external networks). If
    > > that is the case, only place that ACL on the vlan/interface to your
    > > provider. This will allow pings inside your network, but not to/from
    > > external hosts. I may have misunderstood your requirements.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > I want to block ALL pings coming from outside to ALL computers
    > inside.
    >
    > I applied it to the only vlan I have, vlan1.
    >
    > VLAN Name Status Ports
    > ---- -------------------------------- ---------
    > -------------------------------
    > 1 default active Fa0/1, Fa0/2, Fa0/3,
    > Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/9, Fa0/10
    > Fa0/11, Fa0/12,
    > Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/20
    > Fa0/21, Fa0/22,
    > Fa0/23, Fa0/24
    > 1002 fddi-default act/unsup
    > 1003 token-ring-default act/unsup
    > 1004 fddinet-default act/unsup
    > 1005 trnet-default act/unsup
    >
    > VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
    > Trans1 Trans2
    > ---- ----- ---------- ----- ------ ------ -------- ---- --------
    > ------ ------
    > 1 enet 100001 1500 - - - - -
    > 0 0
    > 1002 fddi 101002 1500 - - - - -
    > 0 0
    > 1003 tr 101003 1500 - - - - -
    > 0 0
    > 1004 fdnet 101004 1500 - - - ieee -
    > 0 0
    > 1005 trnet 101005 1500 - - - ibm -
    > 0 0
    >
    > Remote SPAN VLANs
    > ------------------------------------------------------------------------------
    >
    > It blocked pings from outside to the vlan's ip address but if I pinged
    > a computer connected to say fa0/5, it will get a reply.


    That is probably because the packet is coming in on vlan 1, and out of
    vlan 1, so the frame never goes through layer 3 inspection. Is this
    switch the central router for vlan 1? If not, what is? I would still
    recommend putting an ACL on whatever the next hop is towards the
    internet or provider, presuming it is a router or firewall. Please
    describe how you are connected to the provider w/ equipment and ip
    addressing.
     
    Trendkill, Jan 9, 2008
    #10
  11. John

    John Guest

    On Jan 9, 2:58 pm, Trendkill <> wrote:
    > On Jan 9, 2:29 pm, John <> wrote:
    >
    >
    >
    >
    >
    > > On Jan 9, 2:18 pm, Trendkill <> wrote:

    >
    > > > On Jan 9, 2:13 pm, John <> wrote:

    >
    > > > > On Jan 9, 1:18 pm, Trendkill <> wrote:

    >
    > > > > > On Jan 9, 1:11 pm, John <> wrote:

    >
    > > > > > > On Jan 9, 1:03 pm, Trendkill <> wrote:

    >
    > > > > > > > On Jan 9, 1:00 pm, John <> wrote:

    >
    > > > > > > > > On Jan 9, 12:58 pm, Trendkill <> wrote:

    >
    > > > > > > > > > On Jan 9, 12:07 pm, John <> wrote:

    >
    > > > > > > > > > > Hi all:

    >
    > > > > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > > > > > > > > > > pings from outside to our internal network.

    >
    > > > > > > > > > > Here is the info on the switch:

    >
    > > > > > > > > > > Cisco Internetwork Operating System Software
    > > > > > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > > > > > > > > > > RELEASE SOFTWARE (fc2)
    > > > > > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > > > > > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh
    > > > > > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000

    >
    > > > > > > > > > > Here is the ACL:

    >
    > > > > > > > > > > Extended IP access list 103
    > > > > > > > > > >     deny icmp any any echo log-input
    > > > > > > > > > >     permit ip any any

    >
    > > > > > > > > > > When I tried to apply it, it won't take:

    >
    > > > > > > > > > > Catalyst2950-External#conf term
    > > > > > > > > > > Enter configuration commands, one per line.  End with CNTL/Z.
    > > > > > > > > > > Catalyst2950-External(config)#int fa0/5
    > > > > > > > > > > Catalyst2950-Exter(config-if)#ip access-group ?
    > > > > > > > > > > % Unrecognized command

    >
    > > > > > > > > > > Can someone shed some light on this please?

    >
    > > > > > > > > > > Thank you.

    >
    > > > > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that
    > > > > > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    > > > > > > > > > apply an ACL to a vlan interface.  Therefore you would to apply it to
    > > > > > > > > > the vlan that fa0/5 is in, but be careful as this may block other
    > > > > > > > > > ports and traffic.  Just guessing here....- Hide quoted text -

    >
    > > > > > > > > > - Show quoted text -

    >
    > > > > > > > > I tend to agree about the vlan info. I was thinking of applying it to
    > > > > > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus!

    >
    > > > > > > > > -J.

    >
    > > > > > > > Your ACL would only block icmp, and allow everything else, which looks
    > > > > > > > fine.  My point was, if you only wanted to block vlan 1 traffic going
    > > > > > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would
    > > > > > > > apply it to EVERY access-port in that vlan.  Therefore if you had
    > > > > > > > other icmp that you wanted to allow, then this could end up blocking
    > > > > > > > that as well.  If fa0/5 is the only port in that vlan that is up, then
    > > > > > > > this is a moot point.  Else you may want to revise your ACL to block
    > > > > > > > specific addresses.  Just be careful and realize all traffic coming in/
    > > > > > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text -

    >
    > > > > > > > - Show quoted text -

    >
    > > > > > > What I want to do is prevent a ping flood/attack into our internal
    > > > > > > network. That is the goal.
    > > > > > > Our provider told us that they saw massive traffic coming from our
    > > > > > > network.
    > > > > > > It is fine, about blocking ALL ping traffic incoming to all the ports
    > > > > > > in the vlan1.

    >
    > > > > > > Comment?  and...thanks.

    >
    > > > > > I would recommend putting this on your external router that faces the
    > > > > > provider.  If this is your 2950, fine, but if not, I would move it out
    > > > > > to your external most layer 3 hop.  This would not restrict any other
    > > > > > pings, except those coming in from the internet or provider cloud.- Hide quoted text -

    >
    > > > > > - Show quoted text -

    >
    > > > > I just applied it to vlan1. When I ping the CAT's IP address, it
    > > > > successfully blocked it. However, if I pinged anything connected to
    > > > > it, the packets went through with no problem. That's not what I want..
    > > > > Oh well.

    >
    > > > > Thanks.

    >
    > > > Well if you want to block all pings in your environment period, apply
    > > > the ACL to all vlan interfaces.  I thought you just wanted to block
    > > > pings to the outside world (ie internet or external networks).  If
    > > > that is the case, only place that ACL on the vlan/interface to your
    > > > provider.  This will allow pings inside your network, but not to/from
    > > > external hosts.  I may have misunderstood your requirements.- Hide quoted text -

    >
    > > > - Show quoted text -

    >
    > > I want to block ALL pings coming from outside to ALL computers
    > > inside.

    >
    > > I applied it to the only vlan I have, vlan1.

    >
    > > VLAN Name                             Status    Ports
    > > ---- -------------------------------- ---------
    > > -------------------------------
    > > 1    default                          active    Fa0/1, Fa0/2, Fa0/3,
    > > Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/9, Fa0/10
    > >                                                 Fa0/11, Fa0/12,
    > > Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/20
    > >                                                 Fa0/21, Fa0/22,
    > > Fa0/23, Fa0/24
    > > 1002 fddi-default                     act/unsup
    > > 1003 token-ring-default               act/unsup
    > > 1004 fddinet-default                  act/unsup
    > > 1005 trnet-default                    act/unsup

    >
    > > VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode
    > > Trans1 Trans2
    > > ---- ----- ---------- ----- ------ ------ -------- ---- --------
    > > ------ ------
    > > 1    enet  100001     1500  -      -      -        -    -
    > > 0      0
    > > 1002 fddi  101002     1500  -      -      -        -    -
    > > 0      0
    > > 1003 tr    101003     1500  -      -      -        -    -
    > > 0      0
    > > 1004 fdnet 101004     1500  -      -      -        ieee -
    > > 0      0
    > > 1005 trnet 101005     1500  -      -      -        ibm  -
    > > 0      0

    >
    > > Remote SPAN VLANs
    > > ---------------------------------------------------------------------------­---

    >
    > > It blocked pings from outside to the vlan's ip address but if I pinged
    > > a computer connected to say fa0/5, it will get a reply.

    >
    > That is probably because the packet is coming in on vlan 1, and out of
    > vlan 1, so the frame never goes through layer 3 inspection.  Is this
    > switch the central router for vlan 1?  If not, what is?  I would still
    > recommend putting an ACL on whatever the next hop is towards the
    > internet or provider, presuming it is a router or firewall.  Please
    > describe how you are connected to the provider w/ equipment and ip
    > addressing.- Hide quoted text -
    >
    > - Show quoted text -


    Ok. I have a Cisco CAT 2950. This is interfacing with the provider.
    They connect to port int fa0/5 of the switch. They have some sort of
    Metro Ethernet into our building. I configured an IP address for the
    vlan1 of the switch and connect computers to other ports. We use their
    gateway as the next hop to the Internet.
     
    John, Jan 9, 2008
    #11
  12. John

    Trendkill Guest

    On Jan 9, 3:18 pm, John <> wrote:
    > On Jan 9, 2:58 pm, Trendkill <> wrote:
    >
    >
    >
    > > On Jan 9, 2:29 pm, John <> wrote:

    >
    > > > On Jan 9, 2:18 pm, Trendkill <> wrote:

    >
    > > > > On Jan 9, 2:13 pm, John <> wrote:

    >
    > > > > > On Jan 9, 1:18 pm, Trendkill <> wrote:

    >
    > > > > > > On Jan 9, 1:11 pm, John <> wrote:

    >
    > > > > > > > On Jan 9, 1:03 pm, Trendkill <> wrote:

    >
    > > > > > > > > On Jan 9, 1:00 pm, John <> wrote:

    >
    > > > > > > > > > On Jan 9, 12:58 pm, Trendkill <> wrote:

    >
    > > > > > > > > > > On Jan 9, 12:07 pm, John <> wrote:

    >
    > > > > > > > > > > > Hi all:

    >
    > > > > > > > > > > > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > > > > > > > > > > > pings from outside to our internal network.

    >
    > > > > > > > > > > > Here is the info on the switch:

    >
    > > > > > > > > > > > Cisco Internetwork Operating System Software
    > > > > > > > > > > > IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    > > > > > > > > > > > RELEASE SOFTWARE (fc2)
    > > > > > > > > > > > Copyright (c) 1986-2004 by cisco Systems, Inc.
    > > > > > > > > > > > Compiled Mon 02-Feb-04 23:29 by yenanh
    > > > > > > > > > > > Image text-base: 0x80010000, data-base: 0x8058A000

    >
    > > > > > > > > > > > Here is the ACL:

    >
    > > > > > > > > > > > Extended IP access list 103
    > > > > > > > > > > > deny icmp any any echo log-input
    > > > > > > > > > > > permit ip any any

    >
    > > > > > > > > > > > When I tried to apply it, it won't take:

    >
    > > > > > > > > > > > Catalyst2950-External#conf term
    > > > > > > > > > > > Enter configuration commands, one per line. End with CNTL/Z.
    > > > > > > > > > > > Catalyst2950-External(config)#int fa0/5
    > > > > > > > > > > > Catalyst2950-Exter(config-if)#ip access-group ?
    > > > > > > > > > > > % Unrecognized command

    >
    > > > > > > > > > > > Can someone shed some light on this please?

    >
    > > > > > > > > > > > Thank you.

    >
    > > > > > > > > > > Not absolutely positive, but I would guess that a 2950 presumes that
    > > > > > > > > > > fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    > > > > > > > > > > apply an ACL to a vlan interface. Therefore you would to apply it to
    > > > > > > > > > > the vlan that fa0/5 is in, but be careful as this may block other
    > > > > > > > > > > ports and traffic. Just guessing here....- Hide quoted text -

    >
    > > > > > > > > > > - Show quoted text -

    >
    > > > > > > > > > I tend to agree about the vlan info. I was thinking of applying it to
    > > > > > > > > > vlan1, the default vlan but nervous about it. Help Cisco gurus!

    >
    > > > > > > > > > -J.

    >
    > > > > > > > > Your ACL would only block icmp, and allow everything else, which looks
    > > > > > > > > fine. My point was, if you only wanted to block vlan 1 traffic going
    > > > > > > > > out or in fa0/5, but you apply the ACL on the VLAN, that it would
    > > > > > > > > apply it to EVERY access-port in that vlan. Therefore if you had
    > > > > > > > > other icmp that you wanted to allow, then this could end up blocking
    > > > > > > > > that as well. If fa0/5 is the only port in that vlan that is up, then
    > > > > > > > > this is a moot point. Else you may want to revise your ACL to block
    > > > > > > > > specific addresses. Just be careful and realize all traffic coming in/
    > > > > > > > > out of that VLAN will be impacted if you apply it on the vlan.- Hide quoted text -

    >
    > > > > > > > > - Show quoted text -

    >
    > > > > > > > What I want to do is prevent a ping flood/attack into our internal
    > > > > > > > network. That is the goal.
    > > > > > > > Our provider told us that they saw massive traffic coming from our
    > > > > > > > network.
    > > > > > > > It is fine, about blocking ALL ping traffic incoming to all the ports
    > > > > > > > in the vlan1.

    >
    > > > > > > > Comment? and...thanks.

    >
    > > > > > > I would recommend putting this on your external router that faces the
    > > > > > > provider. If this is your 2950, fine, but if not, I would move it out
    > > > > > > to your external most layer 3 hop. This would not restrict any other
    > > > > > > pings, except those coming in from the internet or provider cloud.- Hide quoted text -

    >
    > > > > > > - Show quoted text -

    >
    > > > > > I just applied it to vlan1. When I ping the CAT's IP address, it
    > > > > > successfully blocked it. However, if I pinged anything connected to
    > > > > > it, the packets went through with no problem. That's not what I want.
    > > > > > Oh well.

    >
    > > > > > Thanks.

    >
    > > > > Well if you want to block all pings in your environment period, apply
    > > > > the ACL to all vlan interfaces. I thought you just wanted to block
    > > > > pings to the outside world (ie internet or external networks). If
    > > > > that is the case, only place that ACL on the vlan/interface to your
    > > > > provider. This will allow pings inside your network, but not to/from
    > > > > external hosts. I may have misunderstood your requirements.- Hide quoted text -

    >
    > > > > - Show quoted text -

    >
    > > > I want to block ALL pings coming from outside to ALL computers
    > > > inside.

    >
    > > > I applied it to the only vlan I have, vlan1.

    >
    > > > VLAN Name Status Ports
    > > > ---- -------------------------------- ---------
    > > > -------------------------------
    > > > 1 default active Fa0/1, Fa0/2, Fa0/3,
    > > > Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/9, Fa0/10
    > > > Fa0/11, Fa0/12,
    > > > Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/20
    > > > Fa0/21, Fa0/22,
    > > > Fa0/23, Fa0/24
    > > > 1002 fddi-default act/unsup
    > > > 1003 token-ring-default act/unsup
    > > > 1004 fddinet-default act/unsup
    > > > 1005 trnet-default act/unsup

    >
    > > > VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
    > > > Trans1 Trans2
    > > > ---- ----- ---------- ----- ------ ------ -------- ---- --------
    > > > ------ ------
    > > > 1 enet 100001 1500 - - - - -
    > > > 0 0
    > > > 1002 fddi 101002 1500 - - - - -
    > > > 0 0
    > > > 1003 tr 101003 1500 - - - - -
    > > > 0 0
    > > > 1004 fdnet 101004 1500 - - - ieee -
    > > > 0 0
    > > > 1005 trnet 101005 1500 - - - ibm -
    > > > 0 0

    >
    > > > Remote SPAN VLANs
    > > > ---------------------------------------------------------------------------­---

    >
    > > > It blocked pings from outside to the vlan's ip address but if I pinged
    > > > a computer connected to say fa0/5, it will get a reply.

    >
    > > That is probably because the packet is coming in on vlan 1, and out of
    > > vlan 1, so the frame never goes through layer 3 inspection. Is this
    > > switch the central router for vlan 1? If not, what is? I would still
    > > recommend putting an ACL on whatever the next hop is towards the
    > > internet or provider, presuming it is a router or firewall. Please
    > > describe how you are connected to the provider w/ equipment and ip
    > > addressing.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Ok. I have a Cisco CAT 2950. This is interfacing with the provider.
    > They connect to port int fa0/5 of the switch. They have some sort of
    > Metro Ethernet into our building. I configured an IP address for the
    > vlan1 of the switch and connect computers to other ports. We use their
    > gateway as the next hop to the Internet.


    And you use the same subnet for all your node IPs as well? So you
    don't have vlan 1 going to provider, and vlan 2 for all your nodes?
    Hmmm...k. That is probably why the ACL isn't working, as said before,
    the switch is not doing anything with the frames coming in if the
    nodes are in the same vlan as the switch and the upstream router. I'm
    not sure what your options are here without that functionality. I was
    figuring the router was yours, or you had multiple vlans, or you were
    NATing on your own network which would give you a few ways to block
    traffic. Without those, that switch isn't going to be able to do much
    filtering. I think those ACLs are for locking down the management
    interface or snmp pollers, and not much else.
     
    Trendkill, Jan 9, 2008
    #12
  13. John

    Trendkill Guest

    On Jan 9, 3:52 pm, pk <> wrote:
    > John wrote:
    > > Ok. I have a Cisco CAT 2950. This is interfacing with the provider.
    > > They connect to port int fa0/5 of the switch. They have some sort of
    > > Metro Ethernet into our building. I configured an IP address for the
    > > vlan1 of the switch and connect computers to other ports. We use their
    > > gateway as the next hop to the Internet.

    >
    > Can't you use a vlan access-map, eg
    >
    > ip access-list extended 103
    > permit icmp any any echo
    >
    > vlan access-map block-ping 10
    > match ip address 103
    > action drop
    >
    > vlan access-map block-ping 20
    > action forward
    >
    > However, I'm not sure this will do the job or work on a 2950, and it's also
    > entirely possible that I did not understand your question (apologies).


    Not sure that will work on a 2950 either. 3550 perhaps, definitely
    3560. Definitely worth a try though.
     
    Trendkill, Jan 9, 2008
    #13
  14. John

    pk Guest

    John wrote:

    > Ok. I have a Cisco CAT 2950. This is interfacing with the provider.
    > They connect to port int fa0/5 of the switch. They have some sort of
    > Metro Ethernet into our building. I configured an IP address for the
    > vlan1 of the switch and connect computers to other ports. We use their
    > gateway as the next hop to the Internet.


    Can't you use a vlan access-map, eg

    ip access-list extended 103
      permit icmp any any echo

    vlan access-map block-ping 10
    match ip address 103
    action drop

    vlan access-map block-ping 20
    action forward

    However, I'm not sure this will do the job or work on a 2950, and it's also
    entirely possible that I did not understand your question (apologies).
     
    pk, Jan 9, 2008
    #14
  15. John

    pk Guest

    pk wrote:

    > ip access-list extended 103
    > permit icmp any any echo
    >
    > vlan access-map block-ping 10
    > match ip address 103
    > action drop
    >
    > vlan access-map block-ping 20
    > action forward


    Of course, then apply it:

    vlan filter block-ping vlan-list 1
     
    pk, Jan 9, 2008
    #15
  16. John wrote:
    > I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    > pings from outside to our internal network.


    > When I tried to apply it, it won't take:
    >
    > Catalyst2950-External#conf term
    > Enter configuration commands, one per line. End with CNTL/Z.
    > Catalyst2950-External(config)#int fa0/5
    > Catalyst2950-Exter(config-if)#ip access-group ?
    > % Unrecognized command


    Quite sure this only works in the emi image.
     
    Network Blackjack, Jan 9, 2008
    #16
  17. John

    John Guest

    On Jan 9, 3:49 pm, Trendkill <> wrote:
    > On Jan 9, 3:52 pm, pk <> wrote:
    >
    >
    >
    >
    >
    > > John wrote:
    > > > Ok. I have a Cisco CAT 2950. This is interfacing with the provider.
    > > > They connect to port int fa0/5 of the switch. They have some sort of
    > > > Metro Ethernet into our building. I configured an IP address for the
    > > > vlan1 of the switch and connect computers to other ports. We use their
    > > > gateway as the next hop to the Internet.

    >
    > > Can't you use a vlan access-map, eg

    >
    > > ip access-list extended 103
    > >   permit icmp any any echo

    >
    > > vlan access-map block-ping 10
    > >   match ip address 103
    > >   action drop

    >
    > > vlan access-map block-ping 20
    > >   action forward

    >
    > > However, I'm not sure this will do the job or work on a 2950, and it's also
    > > entirely possible that I did not understand your question (apologies).

    >
    > Not sure that will work on a 2950 either.  3550 perhaps, definitely
    > 3560.  Definitely worth a try though.- Hide quoted text -
    >
    > - Show quoted text -


    Worth a try I might do it on a 2950, not THE 2950 if you know what I
    mean, to see how it works out.
    We do have a 3560 and I was able to apply an access-list like that to
    an interface.

    I need some advice:

    I got a call from the provider saying they saw massive traffic coming
    from our network, as a result, our
    port was turned into blocking mode.

    I went to the office, saw on a floor a bunch of computer generating
    tons of traffic, unplugged them from
    the network. Installed a software firewall on those computers,
    installed Ad-adware, ran a scan and
    the traffic died down. I'm thinking of flood control, storm control
    but not sure how to proceed.

    I will cross my fingers for tonight.

    Thanks all though!
     
    John, Jan 9, 2008
    #17
  18. John

    Trendkill Guest

    On Jan 9, 4:17 pm, John <> wrote:
    > On Jan 9, 3:49 pm, Trendkill <> wrote:
    >
    >
    >
    > > On Jan 9, 3:52 pm, pk <> wrote:

    >
    > > > John wrote:
    > > > > Ok. I have a Cisco CAT 2950. This is interfacing with the provider.
    > > > > They connect to port int fa0/5 of the switch. They have some sort of
    > > > > Metro Ethernet into our building. I configured an IP address for the
    > > > > vlan1 of the switch and connect computers to other ports. We use their
    > > > > gateway as the next hop to the Internet.

    >
    > > > Can't you use a vlan access-map, eg

    >
    > > > ip access-list extended 103
    > > > permit icmp any any echo

    >
    > > > vlan access-map block-ping 10
    > > > match ip address 103
    > > > action drop

    >
    > > > vlan access-map block-ping 20
    > > > action forward

    >
    > > > However, I'm not sure this will do the job or work on a 2950, and it's also
    > > > entirely possible that I did not understand your question (apologies).

    >
    > > Not sure that will work on a 2950 either. 3550 perhaps, definitely
    > > 3560. Definitely worth a try though.- Hide quoted text -

    >
    > > - Show quoted text -

    >
    > Worth a try I might do it on a 2950, not THE 2950 if you know what I
    > mean, to see how it works out.
    > We do have a 3560 and I was able to apply an access-list like that to
    > an interface.
    >
    > I need some advice:
    >
    > I got a call from the provider saying they saw massive traffic coming
    > from our network, as a result, our
    > port was turned into blocking mode.
    >
    > I went to the office, saw on a floor a bunch of computer generating
    > tons of traffic, unplugged them from
    > the network. Installed a software firewall on those computers,
    > installed Ad-adware, ran a scan and
    > the traffic died down. I'm thinking of flood control, storm control
    > but not sure how to proceed.
    >
    > I will cross my fingers for tonight.
    >
    > Thanks all though!


    Sounds like you also need to use NAT. Those machines should not be
    publicly addressed, and that should protect you from a good deal of
    external threats. It would also keep most of your traffic internal to
    your network, unless you get some really bad stuff that 'phones
    home'. All in all, install a real router, turn up NAT and some good
    ACLs, and use the switch for layer 2 only. Your 3560 can probably do
    all of this if you vlan it right (not sure on the NAT piece though),
    but I would consider the above.
     
    Trendkill, Jan 9, 2008
    #18
  19. John

    Peter Guest

    Hi John,

    > > > > > What I want to do is prevent a ping flood/attack into our internal
    > > > > > network.


    As Trendkill says you need to apply Layer 3 ACL's to a Layer 3 device
    such as a router. An ACL numbered 1 - 199 are Layer 3 ACL's. The 2950
    is only a Layer 2 switch and you cannot apply Layer 3 ACL's to ANY
    layer 2 port on that switch. The Layer 3 functionality of the 2950 is
    ONLY for management purposes of the switch itself, not the traffic it
    is passing. All traffic passing THROUGH the switch is passed as Layer
    2 traffic. I also not that the Switch is a "Flat" switch, IE ALL
    traffic is in one VLAN.

    HOWEVER, I have not tried this but it MAY be possible. See if the 2950
    allows you to build a type 700 ACL (this is a Layer 2 MAC ACL), and
    use something like this (done from memory, will need modifying) -

    access-list 701 deny 0.0.0 0.0.0 xxxx

    where xxx is the Layer 2 PROTOCOL traffic you are looking for and
    apply that either -
    1. OUTWARDS on the port going to your ISP, or
    2. INWARDS on each source port.

    This wont work if the Layer 2 protocol is not definitive enough for
    your needs. Method 1 will allow you to see the affected traffic on the
    switch, whereas method 2 will not.

    Otherwise the only way to do this is to put a Layer 3 ACL on a Layer 3
    Device such as a Router.

    Good luck..................pk.

    --
    Peter from Auckland.
     
    Peter, Jan 9, 2008
    #19
  20. John

    News Guest

    http://www.cisco.com/en/US/products/hw/switches/ps628/products_data_sheet09186a00801cfb64.html

    you require a 2950 running enhanced, not standard to apply to interfaces
    directly. otherwise you have to apply to vlans.

    tested on a 2950-24 vs 2950t-24




    John wrote:
    > On Jan 9, 12:58 pm, Trendkill <> wrote:
    >> On Jan 9, 12:07 pm, John <> wrote:
    >>
    >>
    >>
    >>
    >>
    >>> Hi all:
    >>> I have a Cisco 2950 and I'm trying to apply a simple ACL to block
    >>> pings from outside to our internal network.
    >>> Here is the info on the switch:
    >>> Cisco Internetwork Operating System Software
    >>> IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(19)EA1c,
    >>> RELEASE SOFTWARE (fc2)
    >>> Copyright (c) 1986-2004 by cisco Systems, Inc.
    >>> Compiled Mon 02-Feb-04 23:29 by yenanh
    >>> Image text-base: 0x80010000, data-base: 0x8058A000
    >>> Here is the ACL:
    >>> Extended IP access list 103
    >>> deny icmp any any echo log-input
    >>> permit ip any any
    >>> When I tried to apply it, it won't take:
    >>> Catalyst2950-External#conf term
    >>> Enter configuration commands, one per line. End with CNTL/Z.
    >>> Catalyst2950-External(config)#int fa0/5
    >>> Catalyst2950-Exter(config-if)#ip access-group ?
    >>> % Unrecognized command
    >>> Can someone shed some light on this please?
    >>> Thank you.

    >> Not absolutely positive, but I would guess that a 2950 presumes that
    >> fa0/5 is a layer 2 port only, and I'm wondering if the 2950 can only
    >> apply an ACL to a vlan interface. Therefore you would to apply it to
    >> the vlan that fa0/5 is in, but be careful as this may block other
    >> ports and traffic. Just guessing here....- Hide quoted text -
    >>
    >> - Show quoted text -

    >
    > I tend to agree about the vlan info. I was thinking of applying it to
    > vlan1, the default vlan but nervous about it. Help Cisco gurus!
    >
    > -J.
     
    News, Jan 9, 2008
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    781
    Shad T
    Jun 29, 2004
  2. Replies:
    2
    Views:
    659
  3. Vimokh
    Replies:
    3
    Views:
    5,913
    Vimokh
    Sep 6, 2006
  4. James.Brown
    Replies:
    7
    Views:
    1,456
    James.Brown
    Aug 20, 2007
  5. Ender

    fa0/0, s0/0/0

    Ender, Aug 25, 2007, in forum: Cisco
    Replies:
    4
    Views:
    44,800
    nasx12
    Jan 3, 2013
Loading...

Share This Page