Re: access-list principle problem

From: Ken Diliberto (ken@kdmd.net)
Date: Sun Dec 14 2003 - 23:39:45 GMT-3

• Next message: cheng.huiping@zte.com.cn: "΄πΈ΄: RE: bgp session down(keepalives timers:"
• Previous message: Jonathan Hays: "RE: ip helper-address"
• Maybe in reply to: zhang-meng: "access-list principle problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

How about using a reflexive access list for VLAN 2 and 3? Deny all
traffic in to VLAN 2 and 3 from VLAN 1 except what's in the reflexive list.

ip access-list extended 100
 remark Allow traffic to VLAN1 with stateful inspection
 remark Create a stateful entry to allow return traffic.
 permit ip any 10.1.10.0 0.0.0.255 reflect VLAN2-Out-Stateful

ip access-list extended 101
 remark Allow return traffic for sessions established using ACL100
 evaluate VLAN2-Out-Stateful
 remark Deny all traffic from VLAN1
 deny ip 10.1.10.0 0.0.0.255 10.2.20.0 0.0.0.255

ip access-list extended 102
 remark Allow selected hosts access to VLAN1.
 remark Create a stateful entry to allow return traffic.
 remark Make an entry similar to the following for each host.
 permit ip host w.x.y.z 10.1.10.0 0.0.0.255 reflect VLAN3-Out-Stateful

ip access-list extended 103
 remark Allow return traffic for sessions established using ACL102
 evaluate VLAN3-Out-Stateful
 remark Deny all traffic from VLAN1
 deny ip 10.1.10.0 0.0.0.255 10.3.30.0 0.0.0.255

int vlan 2
 ip access-group 100 in
 ip access-group 101 out

int vlan 3
 ip access-group 102 in
 ip access-group 103 out

Does this work?

Ken

zhang-meng wrote:

> Hi: Group
>
> A problem about access-list,
> The scenario
> three vlan: vlan 1 (10.1.10.0/24), vlan 2(10.2.20.0/24), vlan 3(10.3.30.
> 0/24)
> 1. vlan 1 can't access vlan2, vlan 3
> 2. vlan 2 can access vlan 1
> 3. some of hosts in vlan 3 can access vlan 1, vlan 2, vlan3
>
>
>
> It seem I can't finish the the task "2".
>
> task "1"
> for requirement 1
> access-list 101 deny ip 10.1.10.0 0.0.0.255 10.2.20.0 0.0.0.255
> access-list 101 deny ip 10.1.10.0 0.0.0.255 10.3.30.0 0.0.0.255
> access-list 101 permit ip any any
> vlan 1 ip access-group 101 in
>
> vlan 2
> ping 10.1.10.100/24
> sent packet
> source address 10.2.20.200 (vlan 2)
> destination address 10.1.10.100 (vlan 1)
> response packet
> soruce address 10.1.10.100
> destintion address 10.2.20.200
> Because vlan 1 ip access-group in command
> vlan 2 can't receive response packet.
> I think "vlan 1 ip access-group in" sentence will be deny traffics
> between vlan 2 and vlan 1.
> regadless of direction, from vlan 2 to vlan 1 or vlan 1 to vlan 2.
>
> vlan 1 can't access vlan 2, and then vlan 2 can't access vlan 1.
>
> Could you have some suggestion to finish this tasks, or detail
> principle description from Cisco web.

• Next message: cheng.huiping@zte.com.cn: "΄πΈ΄: RE: bgp session down(keepalives timers:"
• Previous message: Jonathan Hays: "RE: ip helper-address"
• Maybe in reply to: zhang-meng: "access-list principle problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:41 GMT-3