From: Peng Zheng (zpnist@yahoo.com)
Date: Thu Sep 05 2002 - 20:42:11 GMT-3
I saw a access-list sample:
-------------------------------------------------------
H_C(e0)--(e0)R_C(s0)--(s0)R_B(s1)--------(s0)R_A
(e1)|_______________________________|(e0)
- H_C is not allowed to ping R_A.
- H_C is not allowed to use SNMP to R_A.
- H_C is denied accessing R_B with any protocol other
than Telnet & TFTP.
- Any other traffic not explicitly defined will be
denied.
Ip address:
e0 of H_C is 172.16.10.5
e0 of R_C is 172.16.10.1
e1 of R_C is 172.19.10.1
s0 of R_C is 172.17.1.1
s0 of R_B is 172.17.1.2
S1 of R_B is 172.18.1.2
s0 of R_A is 172.18.1.1
e0 of R_A is 172.19.10.2
-------------------------------------------------
The solution is:
access-list 101 deny icmp host 172.16.10.5 ...
host 172.18.1.1 echo
access-list 101 deny icmp host 172.16.10.5 ...
host 172.19.10.2 echo
access-list 101 deny udp host 172.16.10.5 ...
host 172.19.10.2 eq snmp
access-list 101 deny udp host 172.16.10.5 ...
host 172.18.1.1 eq snmp
access-list 101 permit ip host 172.16.10.5 ...
host 172.19.10.2
access-list 101 permit tcp any any eq telnet
access-list 101 permit udp any any eq tftp
R_C(config) #int e0
R_C(config-if) #ip access-group 101 in
I can understand deny part.
For first permit, I think it's because we should
permit all other traffic from W_C to R_A, but why only
e0 of R_A?
And for other two permit, I don't know why any is
used? I think H_C and R_B should be used.
Any idea?
Thank you for help.
Best Wishes,
Peng Zheng
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:45 GMT-3