From: Vincent Fortunato (vfortunato@xxxxxxxxx)
Date: Mon Aug 30 1999 - 13:03:47 GMT-3
To block zones use:
zip reply filter (outbound)
get zone list filter (for end systems) - outbound
Placement of these filters is important. Zip reply should not be placed on
the same router that you want the zone(s) to be filtered, while, the GZL
filter should be placed on the same router. Also remember to permit
additional zones.
For IP filtering, remember to allow UDP port 387 to keep your AURP tunnels
in tact,
and allow IP protocol# 47 for GRE tunnels.
Lab in two days - yikes!
Vince Fortunato
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of zyz
Sent: Sunday, August 29, 1999 9:44 PM
To: ccielab@groupstudy.com
Subject: re: Apple: Tunnel: access lists where do you place them ?
if u want to filter route, u should use "apple distribute-list 689 in(out)".
apple access-group 689 is used to filter packet like ip access-group xxx for
ip packet. so u still can see the route. but if u ping them, ping will fail.
---zyz
jason wrote:
>How should apple/ip access-lists be used with Tunnels ?
>
>I'm trying to block other zones from crossing my Tunnel but not having any
>luck. If I place the "appletalk access-group 689 out" on the tunnel
>interface it is lost when I wr mem and reload.
>
>If I put the access-group on the Tunnel interface I still see
networks/zones
>I'm trying to filter - jason
>
>PS Connecitvity is great, just passing more zones that I want to.
>
>
>appletalk routing
>hostname milan
>!
>interface Tunnel0
>no ip address
>tunnel source Ethernet0
>tunnel destination 192.168.3.2
>tunnel mode cayman
>!
>interface Ethernet0
>ip address 207.87.253.1 255.255.255.0
>appletalk cable-range 250-259 256.143
>appletalk zone milan <---There are lots of other zones on E0
>appletalk access-group 689 out <I've also tried in>
>!
>access-list 689 permit zone milan
>access-list 689 deny additional-zones
>access-list 689 permit cable-range 250-259
>access-list 689 deny other-access
>Milan#show apple route
>Codes: R - RTMP derived, E - EIGRP derived, C - connected, A - AURP
> S - static P - proxy
>5 routes in internet. Up to 2 parallel paths allowed.
>
>The first zone listed for each entry is its default (primary) zone.
>
>C Net 100-105 directly connected, Serial0, zone leftserial
>C Net 106-110 directly connected, Serial1, zone rightserial
>R Net 120-120 [1/G] via 100.2, 3 sec, Serial0, zone ethernet
>C Net 250-259 directly connected, Ethernet0, zone milan
>R Net 260-269 [1/G] via 0.0, 0 sec, Tunnel0, zone paris
>
>
>
>
>
>hostname Paris
>appletalk routing
>!
>interface Vlan908
>ip address 192.168.3.2 255.255.255.0
>appletalk cable-range 260-269 263.5
>appletalk zone paris
>appletalk access-group 689 in
>!
>access-list 689 permit zone milan
>access-list 689 deny additional-zones
>access-list 689 permit cable-range 250-259
>access-list 689 deny other-access
>!
>Paris#show apple route
>Codes: R - RTMP derived, E - EIGRP derived, C - connected, A - AURP
> S - static P - proxy
>5 routes in internet
>
>The first zone listed for each entry is its default (primary) zone.
>
>R Net 100-105 [1/G] via 0.0, 9 sec, Tunnel0, zone leftserial
>R Net 106-110 [1/G] via 0.0, 9 sec, Tunnel0, zone rightserial
>R Net 120-120 [2/G] via 0.0, 9 sec, Tunnel0, zone ethernet
>R Net 250-259 [1/G] via 0.0, 9 sec, Tunnel0, zone milan
>C Net 260-269 directly connected, Vlan908, zone paris
>c55K_RSM_Top#
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:21:47 GMT-3