From: Edwards, Andrew M (andrew.m.edwards@boeing.com)
Date: Tue Dec 21 2004 - 14:23:57 GMT-3
Tim,
I believe what you have made is a vlan map that will permit only those
source addresses to anywhere and block all other vlan10 traffic. I
don't think this is what you wanted.
I would suggest a three stage vlan map with extended ACL for matching
source host to payroll server and forward, and then a second sequence
permitting any to the payroll server as drop. Then a final sequence
that permits all on vlan10 and forward.
access-list 100 permit ip host_a payroll_server
access-list 100 permit ip host_b payroll_server
access-list 100 permit ip host_c payroll_server
Access-list 110 permit ip any payroll_server
vlan access-map PAYROLL 10
match ip address 100
action forward
Vlan access-map PAYROLL 20
Match ip address 110
Action drop
Vlan access-map PAYROLL 30
Action forward
vlan filter PAYROLL vlan-list 10
HTH
andy
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Tuesday, December 21, 2004 8:37 AM
To: Group Study
Subject: vlan maps and trunks
Hi guys,
I never tested this so I can't say for sure, but I'm wondering
if a vlan map will filter as expected frames coming in from a trunk.
Simple example:
Assume the payroll server is in vlan 10 and connected to Cat-1. Also,
assume
only hosts a, b and c are allowed access to this payroll server but
there are other hosts in
vlan 10 some of which are connected to Cat-1 and some of which are
connected to Cat-2.
Cat-1 is configured to support ip routing and is connected to Cat-2 by a
trunk which allows all vlan's.
If I configure the following vlan map, will this prevent all access to
the payroll server except from
hosts a, b and c?
access-list 1 permit host a
access-list 1 permit host b
access-list 1 permit host c
vlan access-map PAYROLL
match ip address 1
action forward
vlan filter PAYROLL vlan-list 10
TIA, Tim
This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:29 GMT-3