From: 1cmpecho (1cmpecho@hotpop.com)
Date: Thu Dec 25 2003 - 02:03:06 GMT-3
if the servers are _really_ in 10.1.10.0 /24 (see likely typos below where
you defined servers):
-note on the access list entries - the msfc will take them (and actually
correct them) and the mask results are the same; i.e.
10.1.10.0 0.0.0.255 vs. 10.1.10.1 0.0.0.255
-you may want to take note of the 'other' default udp ports that are
automatically opened when using ip helpers (tftp, tacacs, nb 137,138,139,
etc. by default - these are broadcasts - and should not interfere with
normal wins queries - if anything, they may make your ms network browsing
more stable. you can block these other udp ports by using 'no ip forward
udp xx'
-dns queries are sourced from a random port (typically above 1024) to a
destination port of udp 53....the return trip (from the dns server to
client) will be sourced from udp 53 to the same random high udp number to
destination port
dns query- source udp 1299 ---> dest udp 53
dns response- source udp 53 -----> dest udp 1299
your access list isn't blocking at the port levels/layer4 though (osi
transport layer), but it is blocking at layer 3 (osi network layer) - so in
effect you are stopping the vlan 1 subnet (10.1.10) from returning the dns
responses (and other ip traffic) back to the other vlans (10.2.20 &
10.3.30) - the requests should go to the dns/wins servers unscathed.
hth
At 11:49 AM 12/25/2003 +0800, zhang-meng wrote:
> > Hi: Group
> >
> > A problem about access-list(Cisco 6509),
> > The scenario
> > three vlan: vlan 1 (10.1.10.0/24), vlan 2(10.2.20.0/24), vlan
>3(10.3.30. 0/24)
> three VLANs:
>
>The DHCP, DNS and WINS servers are in 10.1.10.0/24
>
>DHCP server IP = 10.1.1.10
>DNS server IP = 10.1.1.11
>WINS server IP = 10.1.1.12
>E-mail server IP= 10.1.1.100
>
>DHCP clients in 10.2.20.0 and 10.3.30.0 will receive the DNS and WINs IP
>addresses when they are assigned a DHCP IP address. This VLAN needs an ip
>helper address configured and pointing to the DHCP server. Cisco 6509 will
>route any communication between these clients and the DNS, WINS server.
>
>but if I add access-list
>for example:
>
>access-list 101 deny ip 10.1.10.1 0.0.0.255 10.2.20.1 0.0.0.255
> > access-list 101 deny ip 10.1.10.1 0.0.0.255 10.3.30.1 0.0.0.255
> > access-list 101 permit ip any any
> > vlan 1 ip access-group 101 in
>
>whether or not DNS message can forward other vlans.
>Could you have some principle for DNS. I have some confuse for this
>principle.
>Could you have some suggestion and example for this.
>
>
>Best Regards
>
>Zhang
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:44 GMT-3