Task 3.2 What?

The taks says to filter tcp 139 before it gets to e0/0 on the router r3. The solution guide shows an ACL applied to int f0/24 on sw1. That port is a trunk. What about this talks tells me that this is where I'm supposed to apply this filtering? Im very confused with this step.




  • Hello Brandon,

    Email me the configs in question, please.

  • access-list 160 deny tcp any any eq 139
    access-list 160 permit ip any any
    interface FastEthernet0/24
    ip access-group 160 in

    This is what is supposed to be applied to sw1.

    That port is an access port actually- vlan 33 based on the default configs for lab 1. This is relating to lab 1 task 3-2.

    I guess what doesn't make sense is how this accomplishes the task. Its a layer 2 port so how does the ACL work?
  • Brandon,

    You can also apply ACLs to Layer 2 interfaces on a switch. Port ACLs are supported on physical interfaces only and not on EtherChannel interfaces. Port ACLs are applied on interfaces for inbound traffic only. These access lists are supported on Layer 2 interfaces:

    •Standard IP access lists using source addresses

    •Extended IP access lists using source and destination addresses and optional protocol type information

    •MAC extended access lists using source and destination MAC addresses and optional protocol type information

    As with router ACLs, the switch examines ACLs associated with features configured on a given interface and permits or denies packet forwarding based on how the packet matches the entries in the ACL. However, ACLs can only be applied to Layer 2 interfaces in the inbound direction. In the example in Figure 29-1, if all workstations were in the same VLAN, ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but prevent Host B from accessing the same network.

    When you apply a port ACL to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. When you apply a port ACL to a port with voice VLAN, the ACL filters traffic on both data and voice VLANs.

    With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.

    ref: http://www.cisco.com/en/US/docs/switches....html#wp1174694
  • I have a different problem with the solution given--I'm not convinced it is the right one given the task. The task does not actually specify that only traffic from BB3 should be blocked, but *all* traffic to R3 on port 139. Granted, only BB3 and R3 are in the VLAN, but given the wording wouldn't a VACL blocking TCP/139 to R3 be more appropriate? The solution given would only block BB3.
  • If there were an SVI on the switch I would apply a VACL to it, yes. As you stated there are only two devices in question within the task and it specified not to apply any configuration on the router which leaves the f0/24 interface on the switch where the ACL is applied, inbound.
  • I did the VLAN ACL and tested with the test PC connected to a port off the switch. It actually worked. I think what was happening is that the traffic generated by the switch, even though sourced from an interface on a different vlan was still not processed by the vlan ACL. Anyhow, I got it to work with this config:

    access-list 139 permit tcp any any eq 139
    vlan access-map NO139 10
    action drop
    match ip address 139
    vlan access-map NO139 20
    action forward
    vlan filter NO139 vlan-list 37
  • i know this is a dated thread, but i also got this working with a VACL.
    At least it appears that i did, similar to the example brandon gave. it still appeared working, even after i removed the ACL applied to R3's 0/0 interface. from bb3, i was unable to telnet to, but from R3, i was able to do it. this indicates the VACL was indeed working.
  • Hello ;

    I am Mohammed kallawy.
    CCIE R&S 21068.
    I need your help to start security track plz.

    this is my mail.

    [email protected]

    if you need help in R&S track only send me.
Sign In or Register to comment.