It works as I said, and yes I have wondered why it set it to DEC, but I used the auto setup procedure during startup after an erase star command, and said yes to put both ethernet interfaces in bridging mode. It came up and did the bridge 1 protocol dec by itself.
And I have tried to use the IEEE instead without any differences related to my problem. As I see it now - I would have to do one of two things: 1) Change some of my IP addresses so I can place devices on each side of the router on different subnets (seen from the router's view), and then set it up as routing instead of switching. 2) Add all the MAC addresses to the groups they belong, and then use access-lists 700-799 (mac addresses). Both solutions sucks, so I am still looking for an easier 3rd solution. Ole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.RouterChief.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: Ed Horley [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 12:31 PM To: [EMAIL PROTECTED] Subject: Re: Bridging and Access-lists [7:24791] Is there a good reason that the bridge is set up as protocol dec? I don't know if it would work the way you have it configured using ieee instead. Just a thought. Ed ""Ole Drews Jensen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I think that would work, however, I would then look at layer 2 addresses > instead of layer 3 addresses, and controlling a group of people who can > access the web all the time, another group who can access it in certain time > frames, and a third group that cannot access it - would be a nightmare to > control with MAC addresses, instead of simply an array of IP addresses > specified by a wildcard. > > Hmm, I got to dig a little more... > > Thanks, > > Ole > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Ole Drews Jensen > Systems Network Manager > CCNP, MCSE, MCP+I > RWR Enterprises, Inc. > [EMAIL PROTECTED] > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > http://www.RouterChief.com > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > NEED A JOB ??? > http://www.oledrews.com/job > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 31, 2001 10:57 AM > To: [EMAIL PROTECTED] > Subject: RE: Bridging and Access-lists [7:24791] > > > Ole, > > My thinking on this ... > > When your ethernet frame (L2) hits the e1 interface the router will bridge > (L2) this to the e0 interface and not route (L3) it. Therefore the IP > access-list (L3) will not be used. > > I did some work a couple of years ago on a dial-on-demand Bridging solution. > After a lot of head scratching we learned about extended bridging ACLs, > maybe you could use these? > > I think they are range 1000 to 1100, you will need to check this. > > What do you think? > > Steven Dangerfield CCNP, CCSA, CSE > > -----Original Message----- > From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] > Sent: 31 October 2001 16:08 > To: [EMAIL PROTECTED] > Subject: Bridging and Access-lists [7:24791] > > > I have an ethernet segment that I would like to put some restrictions on, > and after having played around with several solutions, I came to one that I > believe is the best. Please do not reply with "why don't you use the > firewall", or similar suggestions - because I am looking for a way to get > this solution to work. > > I have placed a Cisco 2514 on a segment so I can create access-lists to > filter traffic. I want my segment to have the same IP addresses and be on > the same network, so I have assigned the 2514 as a bridge where both > ethernet interfaces has the same IP address, and are in the same > bridge-group. IP routing has been disabled. > > This all works fine, except that any access-lists I create on any of the two > ethernet interfaces does not block anything at all - it's like access-lists > are being ignored when the interfaces works in bridging mode. > > Here's how it looks very simpyfied: > > internet---router---firewall---2514---switch---users and servers > > A part of the config: > > no ip routing > ! > interface Ethernet0 > ip address 10.25.14.1 255.0.0.0 > no ip directed-broadcast > no ip route-cache > no mop enabled > bridge-group 1 > ! > interface Ethernet1 > ip address 10.25.14.1 255.0.0.0 > ip access-group 100 in > no ip directed-broadcast > no ip route-cache > no mop enabled > bridge-group 1 > ! > bridge 1 protocol dec > ! > ip classless > ! > access-list 100 deny ip any any > ! > > The e0 interface is connected to the firewall, the gateway router, and > eventually the Internet. > The e1 interface is connected to the switch connecting a workstation. > > From that workstation I am browsing the web, but even with the "deny ip any > any", I can keep browsing without being blocked. > > Can someone explain this, and perhaps come up with a solution to fix this > problem on this router? > > Thanks in advance, > > Ole > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Ole Drews Jensen > Systems Network Manager > CCNP, MCSE, MCP+I > RWR Enterprises, Inc. > [EMAIL PROTECTED] > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > http://www.RouterChief.com > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > NEED A JOB ??? > http://www.oledrews.com/job > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=24815&t=24791 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
