Router Access List - where it is applied?

Similar Questions

• Ipv6 access list does not apply autonomous Aironet 3602I-E

  As you can see in the attached config I configured two SSID (2G & 5 G) for a third (2G only) SSID and PEAP WPA2-Ent on the vlan 2 for 'poor team access as guest '.

  Basically I forced the Dot11Radio0.2 interface in the Group of deck 1 to get all three SSIDS on vlan 1 (since I want just a quick way and dirty to allow its customers access to the internet, without having to configure a vlan separate everywhere).

  The guest SSID (XX COMMENTS) allows tkip in addition to BSE and uses a PSK rather than PEAP. Access lists configured on Dot11Radio0.2 IPv4 allows clients connected to this SSID get an IP by DHCP, use the DNS servers on the local network and access the internet. All other traffic for the local network is blocked by access lists guest_ingress and guest_egress.

  This all works very well, ipv4 is blocked for guests invited as expected. However, ipv6 is something different. For some reason, the ipv6 access list is completely ignored.

  Because I don't need ipv6 for guest access, I thought that I have completely block and do with it. As you can see I have this set:

  interface Dot11Radio0.2
  guest_ingress6 filter IPv6 traffic in
  guest_egress6 filter IPv6 traffic on

  and these ipv6 access lists have a rule of "refuse a whole" only. Yet, the XX COMMENTS SSID connected client gets an ipv6 address of the server on the LAN DHCP6 and has full connectivity. For ipv4, that I had to explicitly allow DHCP packets to the client not even get an IP, so the ipv6 access lists are not clearly applied.

  No matter if I move the access interface Dot11Radio0 instead lists, they don't do anything. I thought that maybe I should add a "enable ipv6" on the Dot11Radio0.2 interface (even if ipv6 traffic was very good, even where it shouldn't), but when I set "enable ipv6" Dot11Radio0 or Dot11Radio0.2 the radio goes into a sort of infinite loop of reset:

  000261: Sep 23 2016 22:32:50.512 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
  000262: Sep 23 2016 22:32:50.516 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  000263: Sep 23 2016 22:32:50.524 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
  000264: Sep 23 2016 22:32:51.516 it IS: % LINEPROTO-5-UPDOWN: Line protocol on the Interface Dot11Radio0, state change downstairs
  000265: Sep 23 2016 22:32:51.560 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
  000266: Sep 23 2016 22:32:51.568 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  000267: Sep 23 2016 22:32:51.576 it IS: % LINK-5-CHANGED: Interface Dot11Radio0, changed State to reset
  000268: Sep 23 2016 22:32:52.608 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to
  000269: Sep 23 2016 22:32:53.608 it IS: % LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed State to
  000270: 22:32:53.608 Sep 23, 2016 it IS: % DOT11-5-EXPECTED_RADIO_RESET: restart Radio Dot11Radio0 interface due to the reset of the interface
  000271: Sep 23 2016 22:32:53.612 it IS: % LINK-6-UPDOWN: Interface Dot11Radio0, changed State to down
  etc.

  In addition, when creating a list like this ipv6 access:

  guest_egress6 IPv6 access list
  refuse an entire ipv6

  The other is automatically created:

  IPv6-guest_egress6 role-based access list
  refuse an entire ipv6

  A deletion also removes the other.

  What is happening with these ipv6 ACLs, why they are not blocking all traffic? Why do I get an acl "role-based" too? Is associated it with?

  Is there a another way to kill just any ipv6 on the SSID of COMMENTS XX traffic while leaving alone on others? That's all I need at this stage. If the ipv6 ACL do not work, perhaps this can be done (ab) using a service-policy or policy routing? I'm ready to creative solutions :)

  PS. I know this is not the recommended method to configure a guest SSID, but it should still work IMO.

  You have encountered a bug I discovered a few months ago (CSCva17063), in your case, the workaround is to apply the ACL on the physical rather than the void interface interface (because you want to completely block IPv6 in any case). I write (more) my conclusions regarding the traffic that refusal on autonomous APs in a blogpost, might be interesting for you to read as well.

  Remember that the access point used as a bridge between the wired infrastructure and wireless, not as a router. There's some IOS routing of commands (like the "enable IPv6" command you pointed out) , but these are not the characteristics that should be used or need to be enabled on an access point.

  Because the networks internal and customer spend somewhere else, I would perform filtering on this device instead. Also sub gi0.2 interface is missing from your configuration, so I do not think that access as a guest is currently working at all?

  Please rate helpful messages... :-)

• DMVPN WILL ACCESS LIST

  Hi, guys

  Could you please help me with this matter?

  When you configure the DMVPN talk-to-spoke with several hubs (GRE IPSEC EIGRP) talked about what traffic should be allowed on the external physical interface on a router?

  !

  IP access-list еxtended CRYPTO-ONLY

  license to esp [IPSEC peers Reomote] [IPSEC peer Local]

  permit of eq isakmp udp [IPSEC peers Reomote] [IPSEC peer Local]

  allow accord [IPSEC peers Reomote] [IPSEC peer Local]

  !

  interface FastEthernet

  IP access-group CRYPTO ONLY in

  !

  If I delete the last line of the access list, where the "free WILL" is permitted, the router never built EIGRP neighbor relationships. If this line should be present? If so, does any not encrypted GRE traffic will come out?

  Thanks in advance,

  Mladen

  Hey Mladen,

  The access list bound to the external interface is checked twice IE before and after decryption. This is why you must allow packets will clear also.

  HTH

  Sangaré

  pls rate helpful messages

• PIX 501 ICMP access list Question

  According to the book, I have the pix and firewall that I know of dealing with routers and switches access lists define what traffic is allowed outside the network. With pix access lists can only be applied one way, to the interface they enter, not leaving. It's my understanding, but when I do an ICMP command:

  PIX1 (config) # access - list ethernet1 permit icmp any any echo response

  PIX1 (config) # access - list icmp permitted ethernet1 everything all inaccessible

  Access-group ethernet1 PIX1 (config) # interface inside

  This does not work, but if I apply the access group to the external interface it works. I understand why it is like that.

  Thank you

  This works because the pix is not aware of session state for the way icmp traffic that it does for tcp and udp.

  By default, less access to a high to an interface is allowed, unless you have an acl applies to the interface of higer - then only what the acl permits will be allowed. So you can send outbound icmp echo request. However, for the response to be returned, you must allow that explicitly in an acl that is applied on the external interface, because the pix won't allow any outside traffic by default.

  Even for icmp unreachable, although I want to put in custody to be part of the config. Allow only the unattainable due to the ttl expired to facilitate detection of mtu path, not all unachievable.

  Let me know if it helps.

• No not removed from the external interface access-list access list?

  PIX515

  customer wanted to modify the access list (add a new line)

  so he has first publish no access-list command can

  apply the change to the access list, but the access list has been

  removed from the interface outside

  is this a normal behavior? on routers access list stay connected

  for the event of the interface if you issue no access-list command

  Thanks in advance for any comments

  JYP

  Hi Thibault-

  No, it is not a normal behavior, sounds more like an error by the customer. It's always a good idea to copy the required ACL on a text editor (Notepad) do not forget to include "access-group command" i.e. "access-group interface inside inside' or 'access-group out in interface outside' - when copying the required ACL and then issues a 'no access-list inside' or 'no access-list outside' the first line in the ACL copied on your notebook before copy you it to the PIX , also make sure that you are using the config and make an "m wr" (write memory) after the ACL modified have been applied on the PIX.

  Hope this helps-

• Routing VPN access list

  Hello

  I have a PIX 525 to my main site and a 1721 router at a remote location. I used the PDM and the SDM to configure site-to-site IPSec VPN connection. In my private network, I use 10.1.0.0/16 for the main site and 10.x.0.0/16 (where x = 2-47) to remote sites.

  The remote site with the VPN connection uses 10.19.0.0/16. When I originally created this VPN, I configured the traffic to flow from the remote site to 10.1.0.0/16 only. This means that the remote site cannot speak to any other remote sites, just the main site.

  I need to modify the access list to solve this problem. The relevant part of the remote site access list is now:

  access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

  Can I change the subnet mask in the first line and put the second line first?

  access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

  access-list 103 allow ip 10.0.0.0 0.255.255.255 10.19.0.0 0.0.255.255

  Or should I let the deny at the end statement, and add a line for each of the other remote sites:

  access-list 103 allow ip 10.1.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 allow ip 10.2.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 allow ip 10.3.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  access-list 103 allow ip 10.4.0.0 0.0.255.255 10.19.0.0 0.0.255.255

  ... (others)

  access-list 103 deny ip 10.19.0.0 0.0.255.255 everything

  Thank you.

  John

  John

  Help the additional configuration information that you have posted. There are still a few things which I hope could be clarified. It seems that you have 46 remote sites and only is connected via a VPN. How have the other connectivity? It is all over the links within your private network? Is there than any NAT involved in these other connections?

  In my previous answer, I assumed that there will be multiple VPN connections, revealing your additional information is not the case. So my comment about limitations in PIX for talk of talks is true but not applicable to your situation.

  Other remote sites are also coming via the VPN? If yes access list 100 which the 1721 uses to identify the IPSec traffic (and that was not in your posted material) will probably have to be changed.

  According to access list 103 is concerned, I guess that the deny ip 10.19.0.0 0.0.255.255 is an anti-spoofing measure? If so, I would probably advocate put it as the first entry in the access list. What about if you want to use ip 10.0.0.0 allow 0.255.255.255 10.19.0.0 0.0.255.255 or a series of individual licenses, according to me, a point to consider is that allowed 10.0.0.0 0.255.255.255 will allow any space of 10 addresses. It seems that you use 1 to 47. What happens if something came through 10.122.x.x? I suggest a compromise approach. You can use this:

  IP 10.0.0.0 allow 0.31.255.255 10.19.0.0 0.0.255.255

  ip licensing 10.32.0.0 0.15.255.255 10.19.0.0 0.0.255.255

  This would allow 1 to 47 but not others.

  HTH

  Rick

• Where is the access list RESTful activate?

  Hello
  
  I am a report in my application as a RESTful web service. I am following this guide here: http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/advnc_web_services.htm#CHDDBGAI
  
  The instructions are:
  
  On the workspace home page, click Application Builder.
  
  Select an application.
  
  Application builder appears.
  
  Select the page that contains the report you want to activate.
  
  The definition of Page appears.
  
  Under regions, click the name of the region that contains the report that you want to enable.
  
  Under attributes, enter a value for the static field. This value is used to access the full report.
  
  In the RESTful access list enable, select Yes.
  
  Click on apply changes.
  
  .....................
  
  
  I don't know where I can get this "activate RESTful Access List", it's not in my attributes of the region or in my page attributes. Could someone kindly point out where I can get it?
  
  
  I use APEX 4.2
  
  See you soon.

  Hi William,.

  In the section of the documentation you mentioned, especially the section 'Activation RESTful access to a Region report' parent "Implementation of Web Services" section in chapter 17 of the Application Express user's Guide, you will see the following note:

  Note:
  Only option displays enable RESTful access list if RESTful access this Oracle Application Express instance has been activated, see "Access RESTful" in the Oracle Application Express Administration Guide.

  Can you please confirm if you have enabled access to your instance? If this isn't the case, you will need to do before you try to update your report parameters. I hope this helps.

  Kind regards
  Hilary

• access-list on router

  An access list has been configured on a router to block an IP address. Can can additional IPS added to the original access list at a later date?

  ex.

  (config) #access - list 5 deny 10.10.117.0 0.0.0.255

  (config) #access-list 5 permit one

  Can use us the access list 5 to block additional IP addresses or to create a new access list?

  of course, you can

  lets take this example

  R2 #sh - ip access lists

  IP access list 5 standard

  10 deny 10.10.117.0 0.0.0.255

  20 allow a

  You can do like

  R2 (config) #ip - 5 standard access list

  R2 (config-ext-nacl) #no 20 allowed any R2 (config-ext-nacl) #end

  then start putting the statements refuse you want

  as

  (config) #access - list 5 deny 10.10.118.0 0.0.0.255

  (config) #access - list 5 deny 10.10.119.0 0.0.0.255

  then put your license

  (config) #access-list 5 permit one

  Remember that without the permit, everything in the end something not permitted by the ACL will be denied because there is no default all refuse (implicit deny) at the end of each ACL

  If the permit all it will solve

  Good luck

  Please, if useful rates

• access-list on a 2500 series router

  Hello

  I want to deny traffic from a concrete what IP connected to the 2500 series router and I want to do it in the router. Is there enough adding a 'access-list 6 refuse 192.168.148.13' command to drop packets from that address or it is necessary to other statement?

  Thanks in advance.

  You must also use the ACL on the interface in which the traffic is delivered.

  Use "ip access-group in 6" on the interface.

  in specified packets entering this interface must be inspected.

• Access lists applied inbound VPN connections

  I try to configure access to homeland security lists, we have a multi site VPN services Terminal Server is the main traffic flowing on the VPN.

  102 of the ACL applies to cryptographic cards

  access-list 100 permit ip 10.1.5.0 255.255.255.0 10.1.6.0 255.255.255.0

  access-list 102 permit ip 10.1.5.0 255.255.255.0 10.1.6.0 255.255.255.0

  We need only allow traffic to domain connections and Terminal Server services only.

  I tried with no luck, remote clients lose the ability to auth against the domain controller.

  access-list 102 permit ip 10.1.5.20 host 10.1.6.0 255.255.255.0

  (DC also DNS and WINS)

  access-list 102 permit ip 10.1.5.21 host 10.1.6.0 255.255.255.0

  (DC secondary also DNS and WINS)

  access-list 102 permit ip 10.1.5.22 host 10.1.6.0 255.255.255.0

  (terminal server 1)

  access-list 102 permit ip 10.1.5.23 host 10.1.6.0 255.255.255.0

  (terminal server 2)

  access-list 102 permit ip 10.1.5.24 host 10.1.6.0 255.255.255.0

  (terminal server 3)

  If once they have connected to this topic, I've implemented these access lists it works very well, but once they log off and attempt to relog on, they are blocked. This leads me to believe there is more for field connections then meets the eye.

  Anyone have any suggestions for me? Everyone knows about this problem?

  Thanks in advance!

  Gregg

  Domain logon may require programming. It will probably be in the form of emissions e.g. directed 10.1.5.255. These emissions are going to spend your first list, but blocked by the second access list. To get around this, you can use assistance on the net 10.1.6.0 ip addresses. You can also add the following line to list 102:

  access-list 102 permit ip 10.1.5.255 host 10.1.6.0 255.255.255.0.

  Another thing to consider is to simplify your ACL 102. Small access lists provide better performance. In the given situation, the separate lines for 10.1.5.20 up to 10.1.5.23 IP addresses can be replaced by a oneliner: access-list 102 permit ip 10.1.5.20 255.255.255.252. Taking this one step further, you can even create a oneline for guests access list when you move the third server terminal server to the range of 16-19.

• Newbie question route-map/access-list

  I am quite new to the thing whole cisco here.  I'm very hesitant to make changes as I am not sure that I take down the entire network of 200%. (We are a very small company)

  We have a router cisco 1811 (yes I know its old)

  We now have a road map and I'm trying to understand it to make it work the way we want.  Basically, we have a few servers and we do not want some servers to use our cable internet connection, we want to use our T1.  Our T1 uses an ASA5505 as a router.  I don't know why, I know its not the best practice but I was just hired and that's all I have to say on this subject.  I am doing as a result.  Web traffic currently out our interface cable, everything, including the speed of transfer on speedtest.net out our T1.  This makes the bad, bad VoIP phone calls. We also have a tunnel punch in Q1 of our other offices as well as our server Exchange2010 using T1.   If our cable goes down, everything for the T1 (by design).  We have a long list of defined access our route map - use corresponding ip.  I want to change the access list to not allow local network IP addresses.  I know that if I put in a whole ip allow it break our network and nothing comes out of the T1 line, and no one can get to our mail server more.  So, I was thinking of adding some statements, but I was wondering if someone could help me with logic, so I know not if I will break the network.  I wouldn't pull the laminated cord and use the console.  (I really need get a USB serial interface).  Now, you understand a little more about my situation now for all numbers, etc.

  Network internal 90.0.0.0/24, 192.168.0.0/24 192.168.30.0/24, 172.20.0.0/16 (we use only 40 addresses, why they chose 16 is beyond me, stupid really)

  PTP VPN: 192.168.116.0/24 comes and goes out our T1.

  1811 router: 90.0.0.254/192.168.30.254/192.168.0.254

  ASA: 90.0.0.50

  !

  follow the accessibility of ALS 40 ip 40

  delay the decline 90 60

  !

  interface Vlan1

  Description * INTERFACE LAN 90.0.0.x network * $FW_INSIDE$

  IP 90.0.0.254 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  IP tcp adjust-mss 1452

  route WEBPBR card intellectual property policy

  !

  interface Vlan10

  Description * INTERFACE LAN NET 192.168.0.x * $FW_INSIDE$

  IP 192.168.0.254 255.255.255.0

  IP nat inside

  IP helper 90.0.0.2

  IP virtual-reassembly

  route WEBPBR card intellectual property policy

  !

  ! Static routes

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0 90.0.0.50 track 20

  IP route 0.0.0.0 0.0.0.0 197.164.245.109 200

  IP route 8.8.8.8 255.255.255.255 197.164.245.109 permanent

  IP route 10.250.10.0 255.255.255.0 90.0.0.50 permanent

  IP route 172.20.0.0 255.255.0.0 90.0.0.50 permanent

  IP route 208.67.220.220 255.255.255.255 197.164.245.109 permanent

  WEBTRAFFIC extended IP access list
  deny ip any host 208.67.222.222
  deny ip any 172.20.0.0 0.0.255.255
  refuse the host tcp 90.0.0.2 any eq www
  refuse 90.0.0.14 tcp host any eq www
  refuse 90.0.0.235 tcp host any eq www
  refuse the host ip 192.168.0.40 everything
  deny ip any host 192.168.0.40
  refuse the host ip 192.168.0.41 all
  deny ip any host 192.168.0.41
  deny ip any host 192.168.0.221
  refuse the host ip 192.168.0.221 all
  refuse the host ip 192.168.0.225 all
  refuse 90.0.0.10 tcp host any eq www
  deny ip any host 192.168.0.225
  refuse 90.0.0.11 tcp host any eq www
  refuse 90.0.0.9 tcp host any eq www
  refuse 90.0.0.8 tcp host any eq www
  refuse 90.0.0.7 tcp host any eq www
  refuse 90.0.0.6 tcp host any eq www
  refuse the 90.0.0.1 tcp host any eq www
  refuse 90.0.0.13 tcp host any eq www
  refuse 90.0.0.200 tcp host any eq www
  permit tcp any any eq www
  allow the host ip 192.168.0.131 one
  allow the host ip 192.168.0.130 one
  allow the host ip 192.168.0.132 one
  allow the host ip 192.168.0.133 one
  allow the host ip 192.168.0.134 one
  allow the host ip 192.168.0.135 one
  allow the host ip 192.168.0.136 one
  allow the host ip 192.168.0.137 one
  allow the host ip 192.168.0.138 one
  allow the host ip 192.168.0.139 one
  allow the host ip 192.168.0.140 one
  allow the host ip 192.168.0.141 one
  allow the host ip 192.168.0.142 one
  allow the host ip 192.168.0.143 one
  allow the host ip 192.168.0.144 a
  allow the host ip 192.168.0.145 one
  allow the host ip 192.168.0.146 one
  allow the host ip 192.168.0.147 one
  allow the host ip 192.168.0.148 one
  allow the host ip 192.168.0.149 one
  allow the host ip 192.168.0.150 one
  allow the host ip 90.0.0.80 one
  allow the host ip 90.0.0.81 one
  allow the host ip 90.0.0.82 one
  allow the host ip 90.0.0.83 one
  allow the host ip 90.0.0.84 one
  allow the host ip 90.0.0.85 one
  allow the host ip 90.0.0.86 one
  allow the host ip 90.0.0.87 one
  allow the host ip 90.0.0.88 one
  allow the host ip 90.0.0.89 one
  allow the host ip 90.0.0.90 one
  allow the host ip 90.0.0.91 one
  allow the host ip 90.0.0.92 one
  allow the host ip 90.0.0.93 one
  allow the host ip 90.0.0.94 one
  allow the host ip 90.0.0.95 one
  refuse the host tcp 90.0.0.3 any eq www

  ALS IP 40

  208.67.220.220 ICMP echo source interface Vlan1

  Timeout 6000

  frequency 20

  ALS annex IP 40 life never start-time now

  allowed WEBPBR 2 route map

  corresponds to the IP WEBTRAFFIC

  set ip next-hop to check the availability of the 197.164.245.109 1 track 40

  That is how we have it set up right now.  If I put in a few lines above WEBTRAFFIC with:

  deny ip any 192.168.0.0 0.0.0.255

  deny ip any 90.0.0.0 0.0.0.255

  deny ip any 192.168.116.0 0.0.0.255

  !  Etc with all internal networks

  * And then put at the bottom:

  allow an ip

  who will ALL break so we can not communicate with anything?  Or is that what I did to do this, we get internal routing etc.?  Also, I guess I'd put in 15 IP addresses that are coming in the SAA as well?  (We have public IPS 14 (one for the T1 gateway) that would go as well?)  I don't want to try to put in those at the top and make sure no one can do anything.  I hope I made clear what I'm doing...

  Post edited by: Ryan Young

  I have not read this thread well enough to be able to talk to the intricacies of the issue whether this access will make what you want. But I can answer the specific question you are asking. Yes - the access list is top-down, transformed and if a few more top line in the access list matches, then treatment for this package will not get the license at the bottom of the access list.

  HTH

  Rick

• allow icmpv6 in ipv4-access list in the tunnel

  Hello

  I have a little problem with an access list ipv4 blocking my ipv6 tunnel.

  My tunnel works and is as follows:

  interface Tunnel0

  no ip address

  IPv6 address

  enable IPv6

  source of tunnel

  ipv6ip tunnel mode

  tunnel destination

  So when I apply the below, access list to the WAN interface on the sense IN, IPV6 stops working (everything works on IPV4 when the access list is applied). I mean, I cannot ping ipv6.google.com or ipv6.google.coms IP. I can still ping the IP ipv6 remote tunnel ().

  Access list that I apply is the following:

  allow tcp any a Workbench

  allowed UDP any eq field all

  allowed any EQ 67 udp no matter what eq 68

  allowed UDP any eq 123 everything

  allowed UDP any eq 3740 everything

  allowed UDP any eq 41 everything

  allowed UDP any eq 5072 everything

  allow icmp a whole

  deny ip any any newspaper

  Here are the requirements to the supplier of tunnel, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access list?

  TCP 3874	TIC.sixxs.net	IPv4	ICT (Information Tunnel & Control Protocol)	Used to retrieve the information of tunnel (for instance AICCU)	Uses the TCP protocol and should work without problems
  UDP 3740	PoP	IPv4	Heartbeat Protocol	Used for signalling where is the endpoint current IPv4 of the tunnel and he's alive	the user only to pop out
  Protocol 41	PoP	IPv4	IPv6 over IPv4 (6 in 4 tunnel)	Used for tunneling IPv6 over IPv4 (static tunnels + heartbeat)	We have to appoint the internal host as the DMZ host that leaves usually passes the NAT
  UDP 5072	PoP	IPv4	AYIYA (anything in anything)	Used for tunneling IPv6 over IPv4 (AYIYA tunnels)	Must cross most NAT and even firewalls without any problem
  ICMPv6 echo response.	Tunnel endpoints	IPv6	Internet Control Message Protocol for IPv6	Used to test if a tunnel is alive in scathing tunnel endpoint (tunnel: 2) on the side PoP of the tunnel (tunnel: 1) on the tunnel	No, because it is happening inside the tunnel

  I missed something?

  sidequestion: I added the "deny ip any any newspaper" in the access list, but it adds no registration entry in the log (show log). I'm sure it hits because when I run "display lists access": 110 deny ip any any newspaper (2210 matches).

  Hope someone can help me.

  Hello

  In the ACL above you are atleast specifying source and destination UDP and 41 SOURCE ports

  If you specify IPv6 over an IPv4 ACL I guess that the format would be to "allow 41 a whole" for example.

  Although I have barely touched IPv6 myself yet. Wouldn't it be possible to configure ACL Ipv4 and IPv6 ACL and attach them to the same interface?

  But looking at my own router it does not support these commands so that other devices to make. Maybe something related model/software I guess.

  -Jouni

• bug in iOS? startup-config + command access-list + an invalid entry detected

  I posted this yesterday in the newsgroup usenet comp.dcom.sys.cisco and received no nibbles. If I did something incredibly stupid, please do not hesitate to advise.

  Cisco 827

  IOS (TM) C820 software (C820-K9OSY6-M), Version 12.2 (8) T5, RELEASE

  SOFTWARE (fc1)

  I'm looking to use a host named in a more extended access list. The

  script I copy startup-config contains the following entries:

  ! the 2 following lines appear at the top of the script

  123.123.123.123 IP name-server 123.123.123.124

  IP domain-lookup

  ! the following line appears at the bottom of the script

  120 allow host passports - 01.mx.aol.com one ip access-list

  When I reboot the router, I saw the following message:

  Translation of "passports - 01.mx.aol.com"... the domain server (255.255.255.255)

  120 allow host passports - 01.mx.aol.com one ip access-list

  ^

  Invalid entry % detected at ' ^' marker.

  It seems as if the entrance to the server name of the router is not processed

  prior to the access list. I can not even check with

  router02 access lists 120 #sh

  makes the access list entry * not * exist.

  But when I manually type the entry in the router I see the

  Next:

  router02 (config) #access - list 120 permits Passport - 01.mx.aol.com ip host

  any

  Translation of "passports - 01.mx.aol.com"... the domain server (123.123.123.123)

  [OK]

  and I can confirm its creation:

  router02 access lists 120 #sh

  Extend the 120 IP access list

  allow the host ip 64.12.137.89 one

  I have to do something incredibly stupid. If necessary I can post the whole startup-config, although it is quite long. (I don't know if the same label/common sense if apply here as apply to newsgroups usenet. i.e. post us actual ip addresses in our configs or must they be edited?)

  Any help is very appreciated.

  Hello

  Currently IOS does not use DNS - names in the ACL for the saved configuration / running.

  When you type in a list of access with a domain name we he looks up and replaces it with the IP address. I remember seeing a bug No. recently request this feature but I don't remember one bug id # now.

  Router (config) #access - list 187 ip allow any host www.cisco.com

  Router (config) #^ Z

  router #show run | 187 Inc

  IP access-list 187 allow any host 198.133.219.25

  router #show worm | split 12

  IOS (TM) C800 Software (C800-K9NOSY6-MW), Version 12.2 (13) T, RELEASE

• Access list does not work

  unbenannt.PNG

  

  I want that no package would leave f0/0 (R2).

  Here is my configuration:

  R1:

  !

  interface FastEthernet0/0

  IP 192.168.1.1 255.255.255.0

  !

  R2:

  !

  interface FastEthernet0/0

  IP 192.168.1.2 255.255.255.0

  IP access-group 101 out

  !

  access-list 101 deny ip any one

  !

  Given the configs shown in the original post R2 will be able to ping to R1 and I guess this (or something very similar) is what brings the original poster said that the ACL does not work.

  The problem here is that a list of access applied on an interface will not process the traffic generated by the router itself. The illustrious ACL will be very effective in preventing transit traffic (traffic that came from somewhere to R2 and must be DISPATCHED f0/0). But it will not work on the packages generated by R2.

  HTH

  Rick

• FWSM firewall context Access-List entry Limitation

  We have recently experienced an error on one of the firewall settings that it has reached the maximum access list entry. Anyone know what is the limit of the ACL entry by context or where can I find the documentaton for her. No work around to this issue? Thanks in advance.

  Hello

  This value changes depending on which version of the FWSM code you run - and Cisco gets not specific on how the FWSM calculates entered ACE to determine the number of entries you have on your own.

  If you run the command (syntax may be different in 3.x code):

  See the np 3 acl County property

  You get a result that looks like this:

  -CLS rule current account-

  CLS filter rule Count: 0

  CLS rule Fixup count: 11

  CLS is Ctl rule Count: 0

  CLS AAA rule count: 2187

  CLS is given rule Count: 0

  CLS Console rule count: 7

  Political CLS NAT rule Count: 0

  County of CLS ACL rule: 3491

  Add CLS uncommitted ACL: 0

  CLS ACL Del uncommitted: 0

  -CLS rule MAX - account

  CLS filter MAX: 3584

  CLS Fixup MAX: 32

  CLS is Ctl rule MAX: 716

  CLS is given rule MAX: 716

  AAA CLS MAX rule: 5017

  CLS Console rule MAX: 2150

  Political CLS NAT rule MAX: 3584

  CLS ACL rule MAX: 56627

  The counts are your real numbers, MAX is the maximum you can have. AAA rules are numbered for how As you can have applied altogether with your orders of "aaa game. For your question, it seems that you should check your 'CLS ACL rule Count' and 'CLS ACL rule MAX' and make sure you get not close to that number. If you are - try to limit the number of host entries (use the networks) where possible and try to use ranges of ports instead of individual ports in your access list statements.

  I'll try to find the syntax 7.x and post here later.

  -Jason

  Rate if this can help.