From: nikolai (be@tweedlebee.net)
Date: Fri Aug 06 2004 - 16:32:10 GMT-3
The scenario asks to allow only NetBIOS over TCP/IP for a VLAN 999
(199.199.199.0/24). Here is the solution:
.............................
ip access-list extended netbt
permit udp 199.199.199.0 0.0.0.255 any eq netbios-dgm
permit udp 199.199.199.0 0.0.0.255 any eq netbios-ns
permit tcp 199.199.199.0 0.0.0.255 any eq 139
permit udp any 199.199.199.0 0.0.0.255 eq netbios-dgm
permit udp any 199.199.199.0 0.0.0.255 eq netbios-ns
permit tcp any 199.199.199.0 0.0.0.255 eq 139
vlan access-map netbt 10
action forward
match ip address netbt
vlan access-map netbt 20
action drop
vlan filter netbt vlan-list 999
...............................
Questions:
* Do we really need "vlan access-map netbt 20" with explicit "drop" action,
since the Cisco documentation states clearly that "If there is a MATCH
clause for that type of packet (IP or MAC) in the VLAN map, the default
action is to DROP the packet if the packet does NOT match any of the entries
within the map"?
* Don't we also need to "catch" UDP Port 139 by "eq netbios-ss":
permit udp 199.199.199.0 0.0.0.255 any eq netbios-ss
permit udp any 199.199.199.0 0.0.0.255 eq netbios-ss
....................................................
Thanks,
Nikolai Tsankov
be@tweedlebee.net
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:34 GMT-3