In IOS XR access list. Which packets will be permitted ?

Similar Messages

• MAC access-list on switching platforms

  Please advise if I am in the worng group, and I'll move the post.
  I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
  Here is the link I am looking at:
  http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

  Mac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
  A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
  DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface.

• Wi-Fi Card Access List no longer accessible

  At Telstra's suggestion I recently upgraded to a Telstra Gateway Max router. I set it up in the same way as my previous router with a Wi-Fi Access list of MAC addresses of devices to which I chose to give access to my Wi-Fi network. Yes I know that is not absolutely necessary but the facility is there so why not use it. Some time in the past few weeks the firmware on the router has been updated to cater for the new Telstra Air function. At the same time the ability to maintain the Wi-Fi Card Access List has disappeared although it still shows on the Help screen for the W-Fi functions. So now I am no longer able to add new devices or delete old devices from my Wi-Fi card Access List which is still being recognised by the software. This is a little like buying a family-size car and then having the dealer weld the back doors shut. The Telstra support staff struggle to understand the problem and suugest I contact the higher level support area who will not charge me if they can not solve the problem. Why should I pay for Telstra to solve a problem they caused! Has anyone else had a similar issue and how was it resolved?   

  It is something which has come up a few times since the release of the new Firmware update, it looks like it might be something to do with making Air work... but a number of features of the device in its initial state as intended by the manufacturer have been removed or limited by the Firmware in order to ensure the system runs as Telstra intend it to run... it is a matter of give and take... you have less features but it makes it simpler for the 'average user'...

• Assistance wth Access-list

  Need configuration assistance on 6509: Goal is to block inbound traffic on interface except from 10.60.0.0 and 10.90.0.0
  This is what I have but is not working - what am I missing
  6509
  interface vlan xx
  ip access-group 100 in
  ip access-list standard 100
  permit ip 10.60.0.0 any
  permit ip 10.90.0.0 any
  deny ip any any
  on pix
  access-list 100 permit ip 10.60.0.0
  access-list 100 permit ip 10.90.0.0

  Hi Johanna,
  The access-list would be the following:
  ip access-list standard traffic_in
  permit 10.60.0.0 0.0.255.255
  permit 10.90.0.0 0.0.255.255
  interface vlan xx
  ip access-group traffic_in in
  If you use "permit 10.60.0.0" only in the access-list, then it will permit the 10.60.0.0 source address only, not the entire subnet.
  My supposition is that the subnets are:
  10.60.0.0 255.255.0.0
  10.90.0.0 255.255.0.0
  This is why I chose the given wildcard mask in the access-list.
  You don't have to put "deny any" at the end of the access-list, because there is an implicit deny at the end anyway.
  Cheers:
  Istvan

• Extended access list on Cisco routers

  Can you edit an access list without delete the entire list? In other words, can you remove a sequence entry with the access list?
  Thanks

  Yes, you can.  If you do sh access-list, the router will show the sequence number.  You can than add a sequence, delete a sequence or change one.
  For example  if you have an acces-list like this:
  Extended IP access list test
  10 deny ip 10.10.10.0 0.0.0.255 any log
  15 deny ip 11.11.11.0 0.0.0.255 any log
  you can now add a new sequence between 10 and 15
  11 deny ip 172.16.10.0 0.0.0.255 any log
  You just have to make sure to use the sequence number when you create the last access-list
  HTH

• Access-list searching

  Hi all, I have only small questin. Do anyone of you know the way, how to easy find if communication is allowed or denied by access-list? I cannot try communication, I can only work with lines of access-list in console. Maybe its exist some program or script for searching in access-list. THX for you advice.

  a) sh access-list (name )
  It will show you the hitcount
  inet-FW# sh access-list no-nat-dmz
  access-list no-nat-dmz; 2 elements
  access-list no-nat-dmz line 1 permit ip 10.157.36.0 255.255.255.0 10.0.0.0 255.0
  .0.0 (hitcnt=0)
  access-list no-nat-dmz line 2 permit icmp 10.100.36.0 255.255.255.0 10.0.0.0 255
  .0.0.0 (hitcnt=0)
  you can use the Pipe command for specifics such as
  show access-list (name ) | include ftp
  it will give you all lines containing deny

• Packets not hitting the route-map's NAT access-list

  Hi Everyone,
  I've been struggling with this issue for two days, I have couple of VPN tunnels on a router and all are working fine with NAT because I created route-maps for nat to deny the packets that are going to the tunnel from getting NATed, I have the same config for all the tunnels but the issue is with xxx_NAT access-list that is not even being hit by the packets so my xxx tunnel wont come up. I am positive that the problem is NAT because when I remove NAT from the 0/1.102 interface it starts to work. here is my config :
  interface GigabitEthernet0/1.102
  description "xxx"
  encapsulation dot1Q 102
  ip address 10.300.301.1 255.255.255.0
  ip access-group xxx_ACL in
  ip nat inside
  ip virtual-reassembly
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat pool ???_POOL ??
  ip nat pool ???_POOL ??
  ip nat pool ???_POOL ??
  ip nat pool xxx_POOL ??
  ip nat inside source route-map ??? pool ???_POOL overload
  ip nat inside source route-map ??? pool ???_POOL overload
  ip nat inside source route-map xxx pool xxx_POOL overload
  ip nat inside source route-map ??? pool ???_POOL overload
  ip access-list extended xxx-VPN
  remark VPN to xxx
  permit ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
  permit ip 192.168.45.0 0.0.0.255 10.300.301.0 0.0.0.255
  ip access-list extended xxx_ACL
  deny   ip 10.300.301.0 0.0.0.255 192.168.56.0 0.0.0.255
  permit ip any any
  ip access-list extended xxx_NAT
  deny   ip 10.300.301.0 0.0.0.255 110.110.2.0 0.0.0.255
  deny   ip 10.300.301.0 0.0.0.255 192.168.45.0 0.0.0.255
  permit ip 10.300.301.0 0.0.0.255 any
  route-map ??? permit 10
  match ip address ???_NAT
  route-map xxx permit 10
  match ip address xxx_NAT
  route-map ??? permit 10
  match ip address NAT_???
  route-map ??? permit 10
  match ip address ???_NAT
  control-plane
  banner motd ^C

  As that is probably *not* the config you are having problems with (or are your route-maps really named ???, xxx etc. ?) it is hard to help.
  So just a guess:
  The "ip nat inside source route-map-"staements are processed in a lexical order. The naming of your route-maps has to reflect the order you want to achieve. If you have the wrong order your traffic will end in the wrong translation which you should see with "show ip nat translation".
  HTH, Karsten

• I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list.

  I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?

  Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.

• DB Tool List Table: How to access tables which are in different SQL database ?

  Hi, All,
  I'm working on a database application (SQL server) and is evaluating the NI DB Tool kit for this project.
  One of the requirement is that I need to access tables which are in two different database
  (say Table A in DB 1 and Table B in DB 2).
  Our IT guys has linked Table A in DB1 to DB 2 and I verfied this when I use the SQL server managment studio.
  When DB 2 tables are populated, Table A from DB1 is also there. I can also do the same thing using MS Access.
  Table A in DB1 is avalaible to me enven though I only connect to DB 2.
  Here comes the problem.
  When I use DB Tool List Table.vi to access DB2, it does NOT list Table A in DB1. It only list the tables in
  the database (DB2) which I make connection to (using DB Tool Open Connection.vi with a file DSN)
  So my work around right now is to open two seperate connection to DB1 and DB2. However, this approach
  obviously creates a problem when I have to access seperate database constantly in my application.
  What would be a solution to this ? I've search the forum but only see one post that's somewhat related to
  my question. (And it was posted on 2004) Perhaps I need to alter the code in the orignial VI (DB Tool List Table.vi)??
  My IT guy told me he has not encountered this scenario since he writes codes in other enviroment such as
  VB and others, and he's always been successful by linking tables to different database. 
  I hope my question is sound and clear since I really don't know much about database terminology.
  Any comment/suggestion is much appreciated !!!
  Thanks
  Chad
  Solved!
  Go to Solution.

  To josborne:
  To answer your question:
  - Are the two databases contained on the same SQL Server instance? 
  Or are the databases on separate instances?  I assume they are on
  separate servers, otherwise this wouldn't really be an issue.  But its
  good to know because it will affect how you build your SQL statements.
  Yes they are on separate instances. 
  - Ask your IT people specifically how they "linked Table A in DB1 to
  DB 2".  I assume they used "linked servers". 
  Maybe I used the wrong terminology "linked." They created a "View of Table A (DB1)" in DB2 using the management studio.
  Here is a screen shot of that. As you can see, dbo.VISUAL_WORK_ORDER is seen under LABVIEW database in the management studio.
  I also see the same table when I make connection to database using MS Access.
  Could you elaborate on "configure your SQL statement correctly" =) ? The purpose of using LabView's took kit is so that I can do
  minimum SQL statements. Are you talking about modifying LabView's native VI (DB Tool List Table.vi) ?
  Thanks for the information. SQL is just something new to me.

• I am running safari 7.0.6 with IOS 10.9.4. after the mac has been asleep and I log on I cannot open safari as it appears to have crashed. the workaround to this is to reboot the IOS and log back in after which safari will open.

  I am running safari 7.0.6 with IOS 10.9.4. after the mac has been asleep and I log on I cannot open safari as it appears to have crashed. the workaround to this is to reboot the IOS and log back in after which safari will open. Any ideas on how to resolve this?

  Launch the Console application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Console in the icon grid.
  Step 1
  For this step, the title of the Console window should be All Messages. If it isn't, select
            SYSTEM LOG QUERIES ▹ All Messages
  from the log list on the left. If you don't see that list, select
            View ▹ Show Log List
  from the menu bar at the top of the screen.
  In the top right corner of the Console window, there's a search box labeled Filter. Initially the words "String Matching" are shown in that box. Enter the name of the crashed application or process. For example, if iTunes crashed, you would enter "iTunes" (without the quotes.)
  Each message in the log begins with the date and time when it was entered. Select the messages from the time of the last crash, if any. Copy them to the Clipboard by pressing the key combination command-C. Paste into a reply to this message by pressing command-V.
  ☞ The log contains a vast amount of information, almost all of which is irrelevant to solving any particular problem. When posting a log extract, be selective. A few dozen lines are almost always more than enough.
  Please don't indiscriminately dump thousands of lines from the log into this discussion.
  Please don't post screenshots of log messages—post the text.
  ☞ Some private information, such as your name, may appear in the log. Anonymize before posting.
  Step 2
  In the Console window, select
            DIAGNOSTIC AND USAGE INFORMATION ▹ User Diagnostic Reports
  (not Diagnostic and Usage Messages) from the log list on the left. There is a disclosure triangle to the left of the list item. If the triangle is pointing to the right, click it so that it points down. You'll see a list of crash reports. The name of each report starts with the name of the process, and ends with ".crash". Select the most recent report related to the process in question. The contents of the report will appear on the right. Use copy and paste to post the entire contents—the text, not a screenshot.
  I know the report is long, maybe several hundred lines. Please post all of it anyway.
  If you don't see any reports listed, but you know there was a crash, you may have chosen Diagnostic and Usage Messages from the log list. Choose DIAGNOSTIC AND USAGE INFORMATION instead.
  In the interest of privacy, I suggest that, before posting, you edit out the “Anonymous UUID,” a long string of letters, numbers, and dashes in the header of the report, if it’s present (it may not be.)
  Please don’t post other kinds of diagnostic report—they're very long and rarely helpful.

• How To Add scrollbar in Spark list which will work on mouse movement ?

  Hi,
  I want to add scrollbar in Spark list which will work on mouse movement, i.e instead scrolling down it will sense mouse position and scroll automatically. I could not find a way to handle this with horizontalLayout.
  I tried hovering on list and setting ensureIndexIsVisible(index) but hovering element index is not present in the Spark List.
  Any idea on this will be highly appreciated.
  Thanks in advance
  Avishek

  Hi,
  I want to add scrollbar in Spark list which will work on mouse movement, i.e instead scrolling down it will sense mouse position and scroll automatically. I could not find a way to handle this with horizontalLayout.
  I tried hovering on list and setting ensureIndexIsVisible(index) but hovering element index is not present in the Spark List.
  Any idea on this will be highly appreciated.
  Thanks in advance
  Avishek

• I am looking into Lightroom (Creative Cloud) to allow a Team Member access my Catalog to keyword search which images will work for our Social Media platforms.

  I am looking at LR Creative Cloud to allow a Team Member access my catalog so she can keyword search which images will work for our social media campaigns. My catalog has both personal and business images (which are in separate folders), however, I only want them to access the business images. What is the best way to do this?
  and a second question as I am new to the Cloud LR product. I am assuming that my images still stay on my external drive...how am I or her able to view these images if I am out of town on another computer?

  My catalog has both personal and business images (which are in separate folders), however, I only want them to access the business images. What is the best way to do this?
  I think the only way in Lightroom to make this happen is to use two catalogs, one for business and one for personal, and then prevent access to the personal catalog via putting it on a disk or location that your team member does not have access to.
  I am assuming that my images still stay on my external drive...how am I or her able to view these images if I am out of town on another computer?
  Situations like this require you to put the catalog file AND photos on the external HD and then move the external drive to whatever location and whatever computer is needed. An alternative is to put the photos on a network drive and the catalog file on a local disk and access the catalog locally and the photos via network, but that limits you to using a single computer.
  I am looking at LR Creative Cloud to allow a Team Member access my catalog so she can keyword search which images will work for our social media campaigns.
  As far as I know, this does not require Creative Cloud, nor does Creative Cloud help in this situation. Furthermore, if you are thinking about a situation where you and your team member have simultaneous access to the catalog(s) of interest, this is not possible in Lightroom. Lightroom is a single user application.
  If you are interested in a true multi-use application, where more than one individual can access a catalog at the same time, you might want to look at Daminion. Note: I am not endorsing or recommending Daminion, as I have never used it; I simply point out the that it has the feature being discussed.

• My iOS 6.1.4 is updated. i have other devices connected to wifi hotspot of my iphone5. Though my other devices appeared to be connected and shows an excellent cignal strength, i cannot access internet. hope this will be fixed.

  my iOS 6.1.4 is updated. i have other devices connected to wifi hotspot of my iphone5. Though my other devices appeared to be connected and shows an excellent cignal strength, i cannot access internet. hope this will be fixed.

  I hope so too.  So what have you actually done to fix your issue?

• If i bought iPhone 6 this week which software will be installed on it iOS 8.1 or 8.1.1

  I want to buy a new iPhone 6 so i want to know if i bought an iPhone this week which software will be installed on it iOS 8.1 or 8.1.1???

  miko777 wrote:
  I want to buy a new iPhone 6 so i want to know if i bought an iPhone this week which software will be installed on it iOS 8.1 or 8.1.1???
  It will have whatever iOS version was current for that device at the time it was manufactured.

• IOS XR deny ace not supported in access list

  Hi everybody,
  We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
  interface TenGigE0/3/0/0
   cdp
   mtu 1568
   service-policy output TK-MPLS_TG
   ipv4 address 172.16.19.134 255.255.255.252
   mpls
    mtu 1568
  policy-map TK-MPLS_TG
  class class-default
    service-policy TK-MPLS_EDGE-WAN
    shape average 2000000000 bps
    bandwidth 2000000 kbps
  and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
  class-map match-any W_RTP
   match mpls experimental topmost 5
   match dscp ef
   end-class-map
  class-map match-any W_EMAIL
   match mpls experimental topmost 1
   match dscp cs1
   end-class-map
  class-map match-any W_VIDEO
   match mpls experimental topmost 4 3
   match dscp cs3 cs4
   end-class-map
  class-map match-any W_DATOS-CR
   match mpls experimental topmost 2
   match dscp cs2
   end-class-map
  class-map match-any W_AVAIL
   match mpls experimental topmost 0
   match dscp default
   end-class-map
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    bandwidth percent 2
  class class-default
  end-policy-map
  what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
  ipv4 access-list PROXY-GIT-MEX
  10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
  20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
  30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
  40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
  50 permit tcp host 150.2.1.100 any
  60 permit tcp host 10.15.221.100 any
  policy-map EDGE-MEX3-PXY
   class C_PXY-GIT-MEX3
    police rate 300 mbps
   class class-default
   end-policy-map
  class-map match-any C_PXY-GIT-MEX3
   match access-group ipv4 PROXY-GIT-MEX
   end-class-map
  we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    service-policy EDGE-MEX3-PXY
  class class-default
  end-policy-map
  and we get this:
  Wed Sep 17 18:35:36.537 UTC
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
  Wed Sep 17 18:35:49.662 UTC
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
  end
  Any  kind of help is very appreciated.

  That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
  unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
  if you have some traffic that you want to exclude you could do something like this:
  access-list PERMIT-ME
  1 permit
  2 permit
  3 permit
  access-list DENY-me
  !the exclude list
  1 permit
  2 permit
  3 permit
  policy-map X
  class DENY-ME
  <dont do anything> or set something rogue (like qos-group)
  class PERMIT-ME
  do here what you wanted to do as earlier.
  eventhough the permit and deny may be overlapping in terms of match.
  only the first class is matched here, DENY-ME.
  cheers!
  xander