From: Hossam (sam6626@yahoo.com)
Date: Fri Apr 16 2004 - 15:08:55 GMT-3
Team,
In the 3550 (IOS ver 12.1(19)EA1)
Documentation section of Configuring Network Security with ACLs at the following URL:
http://www.cisco.com/en/US/partner/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf53.html#1065750
Here is a copy of it for easy referance:
"Port ACLs are not supported on the same switch with input router ACLs and VLAN maps. If you try to apply an ACL to a Layer 2 interface on a switch that has an input Layer 3 ACL or a VLAN map applied to it, a conflict error message is generated. You can apply an ACL to a Layer 2 interface if the switch has output Layer 3 ACLs applied. "
I understand that if my switch has an active VLAN map, then it should generate an error message if i try to apply a Port ACL on any of its L2 ports.
Not only my switch does't generate any error message. But it palces the Port ACL command in its configurations and Moreover both the VLAN Map and the Port ACL works fine as far as my test showed.
Here you are my configurations. The Vlan Map stops the ICMP traffic only. And the Port access list is to stop the Netbios/UDP traffic.
Configurations:
vlan access-map Vmap1 10
action drop
match ip address 101
vlan access-map Vmap1 20
action forward
match ip address 102
vlan filter Vmap1 vlan-list 1
!
interface FastEthernet0/21
switchport mode dynamic desirable
no ip address
ip access-group 110 in
!
access-list 101 permit icmp any any echo-reply
access-list 102 permit ip any any
access-list 110 deny udp any any eq netbios-dgm
access-list 110 deny udp any any eq netbios-ns
access-list 110 deny udp any any eq netbios-ss
My question is what is wrong? Is it my Test or the documentation?
Thanks
SAM
---------------------------------
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:48 GMT-3