From: Mosley, Arthur (Arthur.Mosley@xxxxxxxx)
Date: Fri Apr 14 2000 - 11:23:04 GMT-3
Sorry I pasted from the original example and modified it as an illustration
of my point. As you can see ATTENTION to DETAIL is essential. Which further
illustrates my point Yes, it should be tcp not udp. Again, when practicing
play around with the locations of filters (in-bound/out-bound/different
routers).
Example should read:
perhaps placed on an outbound interface:
access-list 102 permit tcp 202.205.15.224 0.0.0.255 eq tacacs 202.205.35.30
-----Original Message-----
From: Erols
To: Mosley, Arthur; Robert_Wang@toyota.com; 'wang xihan '
Cc: ccielab@groupstudy.com
Sent: 4/14/00 9:53 AM
Subject: Re: How to filter snmp and TACACS.
I think this filter is not going to do naything and also router is not
going
to take it
r1(config)#access-list 101 permit udp 202.205.15.224 eq tacacs
202.205.15.224
^
% Invalid input detected at '^' marker.
why would I block tacacs traffic from same host . Do you recommmand to
use
loopback address ? why ?
Just a question about tacacs should I use tcp or udp?
regards
byong
----- Original Message -----
From: Mosley, Arthur <Arthur.Mosley@wang.com>
To: <Robert_Wang@toyota.com>; 'wang xihan ' <wangxh@nts.net.edu.cn>
Cc: <ccielab@groupstudy.com>
Sent: Thursday, April 13, 2000 11:22 PM
Subject: RE: How to filter snmp and TACACS.
> 2 cents:
>
>
> Make sure you "play around" with placing your filters on in-bound and
> out-bound interfaces. Always check your logic. It's easy to make
logic
> mistakes with source address versus destination address....
>
>
> Also, research TACACS filtering....
>
> access-list 101 permit udp 202.205.15.224 eq tacacs 202.205.15.224
>
> Art
>
>
> -----Original Message-----
> From: Robert_Wang@toyota.com
> To: wang xihan
> Cc: ccielab@groupstudy.com
> Sent: 4/13/00 11:47 AM
> Subject: Re: How to filter snmp and TACACS.
>
>
>
> If you want just the SNMP (202.205.15.96) and TACACS (202.205.15.224)
> traffic
> running between the two LANs 202.205.15.x and 196.14.10.0. Here is
what
> you do
> on the router (with two LAN interfaces),
>
> int eth 0
> ip address 202.205.15.254 255.255.255.0
> ip access-group 101 in
>
> int eth1
> ip address 196.14.10.254 255.255.255.0
>
> access-list 101 permit udp 202.205.15.96 any eq snmp
> access-list 101 permit udp 202.205.15.224 any eq tacacs
>
> Or you may replace the IP addresses within the access-list with "any"
to
> allow
> any SNMP and any TACACS traffic coming in to your eth0.
>
> Hope it helps.
>
> Robert
>
>
>
>
> "wang xihan" <wangxh@nts.net.edu.cn> on 04/12/2000 05:50:51 PM
>
> Please respond to "wang xihan" <wangxh@nts.net.edu.cn>
>
> To: ccielab@groupstudy.com
> cc: (bcc: Robert Wang/Vendors/Toyota)
>
> Subject: How to filter snmp and TACACS.
>
>
>
> Hi all:
> I have a SNMP server and TACACS server in my LAN (add 202.205.15.224
> and
> 202.205.15.96) , I would like to
> permit only Snmp and TACACS traffic between this and a other lan's
> device
> (subnet 196.14.10.0), how can i config in my router's in
interface.Does
> sb know
> how SNMP and TACACS work and how to filter it with access-list?
> Thanks a lot
> Xihan wang
> <<Internet HTML>>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:13 GMT-3