Switchport edge ACL, confused

So my question is an ACL must define access to the gateway of the network.

Example of ACLs configured on the port of edge on a network of 10.0.0.0/24.

The network gateway is 10.0.0.1

The network host is 10.0.0.200

Host should only have access to tcp/80 on 192.168.1.200

Would say edge switchport acl:

Edge_ACL extended IP access list

permit tcp host 10.0.0.200 host 192.168.1.200 eq www
deny ip any any newspaper

Question is what I have to look like this:

Edge_ACL extended IP access list

ip licensing 10.0.0.200 host 10.0.0.1

permit tcp host 10.0.0.200 host 192.168.1.200 eq www
deny ip any any newspaper

Thank you

Chris

You managed to confuse me as well and I just edited my previous answer, because I was wrong.

You need not allow traffic to the gateway by default because it never is the IP address of the packet destination. If your first acl would work. He could still block all other traffic, including traffic to other hosts 10.0.0.x, but it would allow traffic to the web server.

When the PC wants to talk about the web server it arps out for the mac of the gateway address (or use it if it's in the arp table), and then sends the packet with a destination IP address of the web server that is allowed in your acl. So no need to add the default gateway to the acl.

My apologies for the misleading info, sometimes I even with stupid, I can be surprised

Jon

Tags: Cisco Network

Similar Questions

confusion of editing Adobe edge

I'm new on the edge of adobe. I used flash timeline much. but the chronology of edge is really confusing me.
I started the chronology of text 'the most beautiful child' of 0.01. but in the text of the animation starts from the beginning
See also the pic my cursor is on 'chronology of the text', but it shows girls
in fact adobe edge keep everything in the timeline from 0 sec
How do I solve this problem
I want to 1) the girl must be animated at first, then comes the text. but both are sametime come

You have a display tool (yellow diamond below):

How to use ==> timelineShowHide.zip - Box

Interpritation of confusion of ACL/outbound router...

I am just to finish my semester CCNA4 trying to do my best on our final class project, but I have problems to understand a simple fact on ACL...

OK, so first of all, I want to warn all except HTTP traffic (80) in my network, so that I can make an ACL extended in the sense of "access-list 101 ip allow any host 172.1.1.1 eq 80" then "access-list 101 deny ip any any" right? This allows port 80 traffic to the http server and prevents any other inbound traffic. Now the part that I don't seem to understand is any traffic coming from my network will be broken it's back to the router wouldn't it?

Hello

Extended access lists are not stateful.

A dynamic filter records the details of connections passing through it and save them in a table of State. Traffic that comes back through the router will be checked against the state table and allowed the source if it has a football game.

Reflexive lists are stateful and CBAC is dynamic, you can use for filtering of TCP and UDP connections.

In your scenario, you are correct in your statement about the established keyword, you will need to allow TCP traffic for return

If you need more flexibility than that, take a look at the reflexive access lists, they are not that hard to set up, the following link should explain enough many of your questions

http://www.Cisco.com/en/us/products/SW/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c3.html#1000942

HTH

Paddy

Edge of reperfusion Installation Confusion

I have a working version of reflow, but creative cloud App wants to install a new version (so not the application itself). When I click the button install in the installer of creative cloud, I get the following error:
Exit code: 7
Please see specific errors below for troubleshooting. For example, the ERROR:
-------------------------------------- Summary --------------------------------------
-0 fatal Error (s), 3 (s)
-Payload: reflow 1.0.0.0 Edge_Reflow_preview_7_LREF.msi_1.0 Edge.
ERROR: 'Generator' is not a valid short file name.
ERROR: Install payload MSI failed with the error: - 1603 Fatal error during installation.
MSI error message: 'Generator' is not a valid short file name.
ERROR: installer of third party Edge_Reflow_preview_7_LREF.msi payload failed with exit code: 1603
-------------------------------------------------------------------------------------
Also, when I try to uninstall, I get:
My graphics card is a NVIDIA Quadro FX 570 and system configuration is:
Any advice?

Can try again you with the new version of reflow? Perhaps the new installer will help you fix the problems with the old.

Chris

Some dropdown menus drop on the left edge of the page instead of under the main menu

Some drop-down menus at the left edge of the page instead of under the main menu.
This does not happen on all web sites. Very confusing.

Yes, I see the same thing with Firefox 21 with the menu container.

Works fine for me with the beta version of Firefox 22 and later, it's broken in the current Firefox version 21.

You can consider making a custom of the beta version of Firefox 22 Setup or wait a few weeks until Firefox 22 is released.
- http://www.Mozilla.org/en-us/Firefox/all-beta.html
- http://www.Mozilla.org/en-us/Firefox/beta/
You will need to create a new profile for the beta version, so not to launch Firefox after installing the beta.

See:

VLAN ACL M4100

Dear Sir

We want to create an access list to isolate our Wifi network invited all the other vlan.
When I do, diseapper of the other SSID of our laptops.

I applied to the access list to our direction to SVI comments in

! Description of the system "M4100 - 24 G - POE + ProSafe 24 port Gigabit L2 + Managed Switch w ith PoE +, 10.0.2.13, B1.0.1.1"
! Version of the software system "10.0.2.13".
! System Up Time "28 days 22 hours 39 minutes 58 seconds"
! Other packets QOS, IPv6, routing
! Current SNTP synchronized time: SNTP last attempt status is not successful
!
database of VLAN
VLAN 99 200-208 455-456 999
VLAN 99 name 'TEST '.
name of VLAN 200 'Clients '.
name of VLAN 201 "Telefonie.
name of VLAN 202 "guest."
name of VLAN 203 'fr '.
the name of VLAN 204 "TD."
VLAN name 205 "DMZ".
VLAN name 206 'printers '.
VLAN name 207 'media '.
VLAN 208 name 'Wireless '.
VLAN name 999 "3com".
VLAN 1 1 routing
-Other - or ITU (q)
VLAN 200 2 routing
VLAN 201 3 routing
VLAN routing 202 4
VLAN routing 5 203
VLAN routing 204 6
VLAN routing 205 7
VLAN routing 206 8
VLAN routing 9 207
VLAN routing 10 208
VLAN routing 11 455
VLAN routing 12 456
VLAN routing 99 13
output

network mgmt_vlan 203
IP http secure server
Configure
time range
default IP gateway - 10.253.255.1
level of 483f42190380e8780a9d32a3c63d31b86d6ad49b870db8306af86a9ce3e06cd9a39f66e666e86f0aaab777b0ab9fe571908247c31d904463d1a0767400f8e763 user name 'admin' password encrypted 15
level password user name "secit" encrypted 15 912ba98d721224814ea15db6dec1701819e75dfcafa635831e9eab148c105c20ba85dc61882dd47a65eb66dff6cf0005a1a2232b6957ec898cd6187c6bdbb510
line console
output
-Other - or ITU (q)

line telnet
output

ssh line
output

spanning tree bpduguard

!

IP access-list ACL_Wizard_IPv4_0
output

IP access-list Deny_Guest_Intervlan_Routing
deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.1.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.3.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.4.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.5.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.6.0 0.0.0.255
-Other - or ITU (q)
deny ip 10.253.2.0 0.0.0.255 10.253.7.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.8.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.9.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.11.0 0.0.0.255
IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0
output

class-map correspondence ClassVoiceVLAN ipv4
game of vlan 201
output

Policy-map PolicyVoiceVLAN in
class ClassVoiceVLAN
Assign-queue 3
output

output

interface 0/1
Description "ACCESSPORTS.
participation of VLAN include 200-201
VLAN tagging 201
-Other - or ITU (q)
output

interface 0/2
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 1000000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/3
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201 204
VLAN tagging 201
-Other - or ITU (q)
IP mtu 1500
output

interface 0/4
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/5
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 1000000
pvid VLAN 99
participation of VLAN include 99 200 - 201
-Other - or ITU (q)
VLAN tagging 201
IP mtu 1500
output

interface 0/6
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/7
VLAN 201 votes
policy - PolicyVoiceVLAN
Description "ACCESSPORTS.
pvid VLAN 203
-Other - or ITU (q)
participation of VLAN include 200-201
VLAN tagging 201
output

0/8 interface
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/9
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
-Other - or ITU (q)
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/10
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/11
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
-Other - or ITU (q)
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/12
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/13
VLAN 201 votes
policy - PolicyVoiceVLAN
-Other - or ITU (q)
bandwidth 100000
pvid VLAN 200
VLAN automatic participation 1
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/14
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
VLAN automatic participation 1
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

-Other - or ITU (q)
interface 0/15
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
VLAN automatic participation 1
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/16
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 202
VLAN automatic participation 1
participation of VLAN include 201-202
VLAN tagging 201
IP mtu 1500
output
-Other - or ITU (q)

interface 0/17
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/18
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 203
participation of VLAN include 200-201 203
VLAN tagging 201
IP mtu 1500
-Other - or ITU (q)
output

interface 0/19
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 206
VLAN automatic participation 1
participation of VLAN include 201 206
VLAN tagging 201
IP mtu 1500
output

interface 0/20
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 999
participation of VLAN include 200-201 204-207 455-456 999
-Other - or ITU (q)
VLAN tagging 200-201 204-207 455-456
IP mtu 1500
output

interface 0/21
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 455
VLAN automatic participation 1
participation of VLAN include 200-204 455-456
VLAN tagging 200-204
IP mtu 1500
output

interface 0/22
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
-Other - or ITU (q)
switchport mode trunk
switchport trunk vlan native 456
pvid VLAN 456
VLAN automatic participation 1
participation of VLAN include 200-204 456
VLAN tagging 200-204
IP mtu 1500
output

interface 0/23
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
switchport mode trunk
switchport trunk vlan native 456
pvid VLAN 456
participation of VLAN include 200-204 456
VLAN tagging 200-204
IP mtu 1500
output

-Other - or ITU (q)

interface 0/24
bandwidth 100000
switchport mode trunk
switchport trunk vlan native 999
pvid VLAN 999
participation of VLAN include 200-208 455-456 999
VLAN tagging 200-207 455-456
IP mtu 1500
output

interface vlan 1
Routing
DHCP IP address
output

interface vlan 200
Routing
-Other - or ITU (q)
IP 10.253.0.1 255.255.255.0
output

interface vlan 201
Routing
IP 10.253.1.1 255.255.255.0
output

interface vlan 202
Routing
IP 10.253.2.1 255.255.255.0
IP access-group Deny_Guest_Intervlan_Routing vlan 202 in
output

interface vlan 203
Routing
IP 10.253.3.1 255.255.255.0
output
-Other - or ITU (q)

interface vlan 204
Routing
IP 10.253.4.1 255.255.255.0
output

interface vlan 205
Routing
IP 10.253.5.1 255.255.255.0
output

interface vlan 206
Routing
IP 10.253.6.1 255.255.255.0
output

-Other - or ITU (q)

interface vlan 207
Routing
IP 10.253.7.1 255.255.255.0
output

interface vlan 208
Routing
IP 10.253.8.1 255.255.255.0
output

interface vlan 455
Routing
IP 10.253.255.2 255.255.255.0
output

interface vlan 456
-Other - or ITU (q)
Routing
IP 10.253.11.1 255.255.255.0
output

interface vlan 99
Routing
IP 10.253.9.1 255.255.255.0
output

IP management vlan 203
dhcp service
pool IP dhcp "Telefonie.
Rental 7 0 0
Server DNS 8.8.8.8 8.8.4.4
router by default - 10.253.1.1
Network 10.253.1.0 255.255.255.0
domain secit.be
b-node NetBIOS node type
output

-Other - or ITU (q)
pool IP dhcp "guest."
Rental 0 12 0
Server DNS 8.8.8.8 8.8.4.4
router by default - 10.253.2.1
Network 10.253.2.0 255.255.255.0
secit domain name - guest.be
b-node NetBIOS node type
output

pool IP dhcp 'media '.
Rental 0 12 0
10.253.3.2 DNS Server 8.8.4.4
router by default - 10.253.7.1
Network 10.253.7.0 255.255.255.0
secit domain name - media.be
b-node NetBIOS node type
output

pool IP dhcp "TD."
Rental 0 14 0
10.253.3.2 DNS Server 8.8.4.4
router by default - 10.253.4.1
Network 10.253.4.0 255.255.255.0
-Other - or ITU (q)
secit domain name - td.be
b-node NetBIOS node type
output

pool IP dhcp "internal."
Rental 7 0 0
10.253.3.2 DNS server
router by default - 10.253.0.1
Network 10.253.0.0 255.255.255.0
domain fixitsolutions.local
b-node NetBIOS node type
output

output

Maybe it's the DHCP packet filtering.

For help, try to add a rule to allow DHCP packets.

Example: (this is obviously NOT the exact rule to filter only the DHCP packets, but just a simple rule for the test)
```
IP access-list Deny_Guest_Intervlan_Routing
  permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
  permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68

  deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255

  IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0

output
```
If this ACL works (you can get the DHCP address), then you will need to write the ACL right, something like (this is just an example):
```
IP access-list Deny_Guest_Intervlan_Routing
  ! DHCPDISCOVER
  permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
  ! DHCPOFFER
  0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
  ! DHCPINFORM
  permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
  ! DHCPACK
  0.0.0.0 eq 68
  permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
  ! Internal traffic

  deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
  ! Internet traffic

  IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0

output
```

Impossible to get 3 SATA speed edge 15 laptop (0301-JDU)

Hello

I have a model Edge 15 0301 - JDU I've updated with a SSD Crucial of M500. The reader can do 3 SATA but Crystal Info disc shows that it runs only 2 SATA (SATA/300). The laptop has the latest version of the BIOS (2.05) and the driver Intel SATA AHCI Controller (9.5.7.1002).

According to the specifications of Lenovo, this machine has a Mobile Intel HM55 Express Chipset which should have SATA 3. The original Hitachi harddisk is also a SATA 3 drive, what corresponds to the technical data sheet, Lenovo.

How can I get the SSD to work at SATA 3 speeds?

Thank you

Mark

Yes, the convention of naming generation SATA can confuse a lot of people.

I'm glad that the confusion is cleared up. The E420 Edge was the first to use the SATAIII (6 Gbps).

Edge card 14 replacement WIFI

I have a 14 Edge I want to upgrade the wifi card in, one that takes in charge wireless display, the 'official' list has Intel Centrino Advanced - N 6200 in option, but looking around I see a lot of these cards with "not for ibm lenovo" in detail. Yes, there is a better card can I buy somewhere? be legally blind I'd love this crochet until my 39 "tv preferably with the need for cables. but apparently you can't just drag in any card for some reason some werid. any suggestions would be apreciated. Thank you

This can be marked as resolved.

the documentation on the lenovos site puts all the edge 14 together, intel and amd, and the list of models sup are confusing, it turns out that this map is in fact NOT compatible with the model 0199 sub and the fact that 'widi' pilots see room for the edge 14 furthur lead to confusion.

Lenovo, stop smoking! only show information relevant to the type of machine, other wise people waste money on things that are not compatible, or at least make clearer information. Thank you.

The driver Conexant Audio Edge 13 in Windows 7 error

Hello...

I have the error message when you try to install the Conexant Audio driver in Windows 7.

The error message goes like this:

"Driver Installation Failed: could not find the device of MEDIA for this driver."

I was a little confused because I download the Lenovo site driver supports. But how come it doesn't work?

Is it that someone has the same problem as I do? Or can someone help me?

Thank you.

* Currently, at least I can hear the sound output of my Edge 13, but have a problem with the microphone, because I can't save or have voice chat online for now.

In any case, the driver installation package for Conexant HD SmartAudio 20582.

Supported operating system: Microsoft Windows 7 32-bit, 64 - bit.

My edge 13 Specifications:

type: 0217-28 a

Processor: Intel (r) Core i3

(vivid RAM) memory: 2.00 GHz

system: Windows 7 Pro 32-bit

Hello mate,

Try uninstalling the driver before installing a new from here: http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-76131

2 VLAN ACL with what Miss me

Thanks for reading.

This topology consists of one 6224 and two 2824 Powerconnect switches.

Right now, we're looking to build two VLANs, routed, sharing a small range of IPs on VLAN 20.

Also want to route out to the interwebz for both nets. Do I need a third vlan for that?

 Presumably one for each actual route out I would think.

I've entered the following commands into the 6224.

- -

confvlan databasevlan 10vlan 20exitinterface vlan 10ip address 192.168.1.1 /24ip access-group 'BUSINESS'name SALESroutingexitinterface vlan 20ip address 172.16.1.1 /24ip access-goup 'SALES'name BUSINESSroutingexitip access-list SALES permit ip 192.168.1.0 0.0.0.255 anyip access-list SALES permit ip 172.16.1.0 0.0.0.255 anyip access-list BUSINESS permit ip  172.16.1.204 0.0.0.7 anyip access-list BUSINESS permit ip 192.168.1.0 0.0.0.255 anyinterface range 1/g9-1/g16 ---these are untagged in both Vlan 1 and vlan 10switchport mode access each has a PVID of 1 in both Vlans??switchport access vlan 10exitinterface range 1/g17-1/g24 ---these are untagged in vlan 20switchport mode access PVID of 1 or 20 neither changes anythingswitchport access vlan 20exitip routing

- -

From VLAN 10 on the 6224 , all addresses in VLAN 10 and 20 can be pinged.

From VLAN 20 on the 6224 all addresses in VLAN 10 and 20 can be pinged,

2824-1 is connected via its port 24, (a member of vlan 20 in switchport mode access)

to port 24 on the 6224.

Port 1/g23 on 2824-1 is connected to a host at 172.16.1.240. that host can  ping nothing

beyond 172.16.1.1. But if I plug both the switch uplink and the host to a Cisco 3524xl in factory defaul

I can ping everyhthing on the 172.16.1.0 /24 subnet right across the uplink. I'd like to at the least

get help on what the issue is with the pings from the 2824.

The ACLs aren't actually in play but they are intended as part of the config.

thanks in advance for your help.

I think you're on the right track, leave the configuring ACLs for now. Once we have connectivity, then add them in.

With the connections between the two switches, we use mode Trunk/general instead of the access mode.

If the 6224 performs the Routing and connects to your external connection. While the connection must have its own dedicated VLAN. The 6224 also has a static route in place, helping to direct traffic on.

Here's a post with some info to look over.

en.Community.Dell.com/.../19506015.aspx

Keep us updated.

Thank you

Command switchport mode access

Hello

I was curious about the switchport mode access command and its interoperability with the switchport command in vlan voice.

If I set up a switchport with the switchport mode access commmand, which will make it impossible for the switchport create a trunk special cases with the IP phone? Even if I set up switchport vlan speech?

And if so, the port should be configured as switchport mode dynamic auto? Or desirable?

Thank you, Pat

Pat, you can configure a port as an access port, add the configuration of vlan voice and connect a phone and another device. The trunk will form. With the "vlan voice" Cisco obscures the fact that forms a trunk. I don't necessarily agree with this strategy, and it wasn't always in this way. I remember configuration of phones on a 3500XL and ports have been configured in trunks.

You made me think, so I issued a few commands on a WS-C3560V2-48PS-S running IOS 12.2 (58) SE2 who has 12 phones connected on it.

Here is the config for a port that has a connected phone:

Switch #sho int f0/2nd round

Building configuration...

Current configuration: 475 bytes

!

interface FastEthernet0/2

switchport access vlan 11

switchport trunk encapsulation dot1q

switchport trunk vlan 11 native

switchport trunk allowed vlan 2, 10-19

switchport mode access

switchport nonegotiate

switchport voice vlan 12

SRR-queue bandwidth share 1 30 35 5

priority queue

MLS qos trust device cisco-phone

MLS qos trust cos

Auto qos voip cisco-phone

No auto mdix

spanning tree portfast

service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

end

If I show the status of the trunk for an individual port that IOS recognizes that the port with the attached telephone is actually a trunk:

Switch #sho int f0/2 trunk

VLAN Mode Encapsulation native port State

FA0/2 off 802. 1 q non-gaine 11

Port VLAN allowed on trunk

FA0/2, 11-12

Port VLAN authorized and active in the field of management

FA0/2, 11-12

VLAN port extending on transmission State and no tree pruned

FA0/2, 11-12

However if I do a "sho int trunk" to display all the ports on the switch IOS trunk does not include telephone ports in the output.

Trunk switch #sho int

VLAN Mode Encapsulation native port State

FA0/45 on 802. 1 q 12 trunking

FA0/46 / 802. 1 q 12 trunking

Gi0/1 on 802. 1 q sheath 11

Gi0/2 of 802. 1 q sheath 11

Port VLAN allowed on trunk

FA0/45 2: 10-19

FA0/46 2: 10-19

Gi0/1, 2, 10-19

Gi0/2, 2, 10-19

Port VLAN authorized and active in the field of management

FA0/45 13, 16-2, 11-17

FA0/46 13, 16-2, 11-17

Gi0/1, 2, 11-13, 16-17

Gi0/2 13, 16-2, 11-17

VLAN port extending on transmission State and no tree pruned

FA0/45 13, 16-2, 11-17

FA0/46 13, 16-2, 11-17

Gi0/1, 2, 11-13, 16-17

Gi0/2 13, 16-2, 11-17

So firstly IOS says "Yes, it is a trunk" and on the other hand it is said ' Nope, no trunks here! So notice that 'spanning-tree portfast' is configured on f0/2, no 'portfast spanning-tree trunk. PortFast is still active on this port.

Switch #sho span int f0/2 selection

VLAN0011 enabled

VLAN0012 enabled

Conversely on 45 port, we have a VG-224 connected and it is configured with "switchport mode trunk" and "trunk spanning-tree portfast '. If I change than just "spanning-tree portfast' we see this:

Switch #sho span int f0/45 selection

VLAN0002 disabled

VLAN0011 disabled

VLAN0012 disabled

VLAN0013 disabled

VLAN0016 disabled

VLAN0017 disabled

Cisco has confused the issue here. I would prefer if we called a trunk, a trunk, but for some reason, they do not.

See you soon,.

-Jeff

---

Posted by Jeff Davis of the Cisco support community App WebUser

On the basic ACL question

I have a few question ACL. I'm not clear on the source address and the destination address in the following cases.

Case 1

My IP WAN1 is 1.1.1.1, my FTP server is 192.168.1.2 port 23

If I have access to FTP from internet, use ftp://1.1.1.1:23, so what's my IP ACL of source and destination IP? 1.1.1.1 is source? destination is 192.168.1.2? or any?

Internet-(Outside 1.1.1.1) ASA (inside 192.168.1.1) - FTP (192.168.1.2)

Case 2

My WAN1 is always 1.1.1.1 and FTP is 192.168.1.2 port 23

If I use the ftp://1.1.1.1:8023internet FTP access, what the ACL source IP address and destination?

I tested in both cases = any source and destination = everything is OK.

But I confused. I still think the Source address is IP WAN1.

Hello

You access the server FTP from the Internet and most likely, you won't know what ip address you will be source. In this case, your source ip address will be everything. If you know the ip address on the Internet that will have access to your FTP server, and then you specify it as the source. You access list will be as follows:

access-list extended 100 permit tcp any host 1.1.1.1 eq 21

access-list extended 100 permit tcp any host 1.1.1.1 eq 20

or

access-list extended 100 permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 21

access-list extended 100 permit tcp x.x.x.x y.y.y.y host 1.1.1.1 eq 20

(if you know the network or host who will have ftp access)

You must also make sure that you have configured static NAT and inspection of the request to your FTP server

Thank you

John

ASA ACL question

I'm new to the ASA and try to understand something with ACL. It will take I understand about their creation and by adding entries and that all should have the same name, but I'm confused about the ACLs that do not have the same name that already exist on a device or may be named differently.

For example:

Access-List Corporate1 permit tcp any any eq www

Access-List permits Corporate1 tcp everything any https eq

Access list ip Inside_Out allow a whole

Access-group Coprorate1 in interface outside

Ignoring the content at the moment, I have 2 ACL: one with 2 inputs and one with a single entry. The Corporate1 of the ACL applies within the interface and is active. I get this part... My question is: is the Inside_Out of the grouped ACL in automatically with the ACL and activates them as well active or is it safe to say it is not active and can be removed without causing damage? Is the ACL only activates the ACL with the same name as the Access-Group Corporate1?

I have 2 different people telling me two different things. I'm lost on this one, any help would be greatly appreciated.

-Jon

Working with ACLs imply always two steps:
1. You configure the ACL (with possibly multiple lines but the same name).
2. You set the ACL to a function. Which might be filtering on an interface with the control-group-access, but is not limited to the one that the ACL is used in several places when the ASA must match the traffic.
(If you did both) 1 and 2), then the ACL is active and currently in use. If you have set up the ACL only but the ACL was never assigned to a function, then the ACL is not active and can be removed.

In your example:

If you find that the ACL 'Inside_Out' but you don't know if the ACL is used, then do one
```
 sh run | inc Inside_Out
```
If the output shows only the ACL lines, it is unused and can be removed.
```
 clear configure access-list Inside_Out
```
Or it is but not used must be used, and then apply the ACL for the desired purpose.

Pls explain the sense of source and destination SVI ACL

Hi I have a home network up and well running that uses a Cisco 1801.

I'm just trying to increase my understanding of some is the config and I'm confused by ACL on an interface VLAN.

OK so I "be the router" and imagine packets flowing to me and me

I have two VLAN configured

VLAN 10 - 10.10.10.0 / 25

VLAN 20 - 10.10.10.128/27

So, for example, one of my Virtual Machines has the address of 10.10.10.6 and is on VLAN 10.

Another is the 10.10.10.134 address and VLAN 20.

I want to allow 10.10.10.6 Access 10.10.10.134, but keep the other VLAN 10 access devices.

So I create an ACL and apply it to interface Vlan 20 entrants.

The configuration below works as you want, but I don't understand why.

If packet filtering is for the incoming direction of the interface, then my logic would state that the source address of the packet filter would be 10.10.10.6, not 10.10.10.134.

Can someone help me understand. Thank you.

interface Vlan20

ip access-group ACL-INBOUND in

ip access-list extended ACL-INBOUND

permit ip host 10.10.10.134 host 10.10.10.6 log-input

That is to say, a vlan SVI is no different from a physical interface with respect to an acl.

to apply an acl entering traffic control devices SVI in this vlan

apply an acl Outbound IVR auxdispositifs controls traffic to that vlan

I want to allow 10.10.10.6 Access 10.10.10.134, but keep the other VLAN 10 access devices.

access-list 101 permit ip host 10.10.10.6 10.10.10.134

access-list 101 deny ip 10.10.10.0 0.0.0.127 host 10.10.10.134

access list 101 ip allow a whole

int vlan 10

IP access-group 101 in

the acl above allows 10.10.10.6 to talk to 10.10.10.134 but blocks all other 10.10.10.x/25 customers to talk to 10.10.10.134. Then, it allows customers to 10.10.10.x/25 to talk to everything else. Note You can not only "permit ip any any" at the end, but you will want to probably other lines permit while I have included a general all allow.

I hope you see it's the same concept applies an acl to a physical interface in terms of incoming and outgoing traffic. Whence came the confusion was probably that you have applied the acl to vlan 20 then he effectively blocked the return circulation and not the original packet from to vlan 10.

It is usually best to filter packets to their source.

Jon

Need help of the ACL for SMTP

All,

First thanks for all assistance.

I am trying to configure my ASA5505 to accept SMTP relay and the ACL\Static I have created does not work.

Here is the config:

ASA Version 8.2 (2)

!

names of

!

interface Vlan1

nameif inside

security-level 100

IP 192.168.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

IP 12.12.12.1 255.255.255.248--> deleted

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

Speed 100

full duplex

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passive FTP mode

permit same-security-traffic inter-interface

permit same-security-traffic intra-interface

access-list 101 extended permit tcp any host 12.12.12.1 eq smtp

inside_access_in of access allowed any ip an extended list

access-list sheep extended 10.10.10.0 any allowed ip 255.255.255.0

pager lines 24

Enable logging

debug logging in buffered memory

asdm of logging of information

Within 1500 MTU

Outside 1500 MTU

MTU 1500 dmz

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

Global 1 interface (outside)

NAT (inside) 0 access-list sheep

NAT (inside) 1 0.0.0.0 0.0.0.0

public static tcp (indoor, outdoor) interface smtp 192.168.1.5 netmask 255.255.255.255 smtp

inside_access_in access to the interface inside group

Access-group outside_in in external interface

Route outside 0.0.0.0 0.0.0.0 12.12.12.2 1

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

Enable http server

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Telnet timeout 5

SSH timeout 5

Console timeout 0

management-access inside

dhcpd outside auto_config

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

World-Policy policy-map

class inspection_default

inspect the icmp

class class by default

!

context of prompt hostname

Please help me :-(

Thank you very much!

Hi Jim,.

The configuration guide will provide a few basic examples for setting up groups of items:

http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/objectgroups.html

Single network objects are only available in 8.3 and higher. However, a group of objects to 8.2 can certainly contain a single member.

-Mike

Switchport edge ACL, confused

Similar Questions

Maybe you are looking for