From: Adel Abushaev (adel@netmasterclass.net)
Date: Sun Dec 14 2003 - 23:09:56 GMT-3
Can you use reflexive access lists?
HTH,
Adel Abouchaev
CCIE# 12037, MCSE
http://www.netmasterclass.net
----- Original Message -----
From: "zhang-meng" <meng_zhang@call-center.com.cn>
To: <ccielab@groupstudy.com>
Sent: Sunday, December 14, 2003 8:05 PM
Subject: access-list principle problem
> Hi: Group
>
> A problem about access-list,
> The scenario
> three vlan: vlan 1 (10.1.10.0/24), vlan 2(10.2.20.0/24), vlan
3(10.3.30.
> 0/24)
> 1. vlan 1 can't access vlan2, vlan 3
> 2. vlan 2 can access vlan 1
> 3. some of hosts in vlan 3 can access vlan 1, vlan 2, vlan3
>
>
>
> It seem I can't finish the the task "2".
>
> task "1"
> for requirement 1
> access-list 101 deny ip 10.1.10.0 0.0.0.255 10.2.20.0 0.0.0.255
> access-list 101 deny ip 10.1.10.0 0.0.0.255 10.3.30.0 0.0.0.255
> access-list 101 permit ip any any
> vlan 1 ip access-group 101 in
>
> vlan 2
> ping 10.1.10.100/24
> sent packet
> source address 10.2.20.200 (vlan 2)
> destination address 10.1.10.100 (vlan 1)
> response packet
> soruce address 10.1.10.100
> destintion address 10.2.20.200
> Because vlan 1 ip access-group in command
> vlan 2 can't receive response packet.
> I think "vlan 1 ip access-group in" sentence will be deny traffics
> between vlan 2 and vlan 1.
> regadless of direction, from vlan 2 to vlan 1 or vlan 1 to vlan 2.
>
> vlan 1 can't access vlan 2, and then vlan 2 can't access vlan 1.
>
> Could you have some suggestion to finish this tasks, or detail
> principle description from Cisco web.
>
> Thanks in advance.
>
> Best Regards
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:41 GMT-3