RE: vlan maps and trunks

From: Edwards, Andrew M (andrew.m.edwards@boeing.com)
Date: Tue Dec 21 2004 - 14:43:38 GMT-3

• Next message: Brian McGahan: "RE: Can I do dial-on-demand on 2 aux ports?"
• Previous message: ccie2be: "Re: vlan maps and trunks"
• Maybe in reply to: ccie2be: "vlan maps and trunks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The vlan map will filter all frames in the vlan. This would include any
coming in the trunk tagged for the vlan you are filtering on...

andy

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Tuesday, December 21, 2004 9:35 AM
To: Edwards, Andrew M; Group Study
Subject: Re: vlan maps and trunks

Andrew,

Thank you. You're right. I did screw up the vlan-map.

Good catch.

But, what about the issue with the trunk between Cat-1 and Cat-2?

Assuming I had configured the vlan-map correctly - as your example
showed - would

the vlan-map filter frames coming in from the trunk just like it would
for any other type of port or interface?

TIA, Tim
----- Original Message -----
From: "Edwards, Andrew M" <andrew.m.edwards@boeing.com>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
Sent: Tuesday, December 21, 2004 12:23 PM
Subject: RE: vlan maps and trunks

Tim,

I believe what you have made is a vlan map that will permit only those
source addresses to anywhere and block all other vlan10 traffic. I
don't think this is what you wanted.

I would suggest a three stage vlan map with extended ACL for matching
source host to payroll server and forward, and then a second sequence
permitting any to the payroll server as drop. Then a final sequence
that permits all on vlan10 and forward.

access-list 100 permit ip host_a payroll_server
access-list 100 permit ip host_b payroll_server
access-list 100 permit ip host_c payroll_server

Access-list 110 permit ip any payroll_server

vlan access-map PAYROLL 10
match ip address 100
action forward

Vlan access-map PAYROLL 20
Match ip address 110
Action drop

Vlan access-map PAYROLL 30
Action forward

vlan filter PAYROLL vlan-list 10

HTH
andy

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Tuesday, December 21, 2004 8:37 AM
To: Group Study
Subject: vlan maps and trunks

Hi guys,

I never tested this so I can't say for sure, but I'm wondering

if a vlan map will filter as expected frames coming in from a trunk.

Simple example:

Assume the payroll server is in vlan 10 and connected to Cat-1. Also,
assume

only hosts a, b and c are allowed access to this payroll server but
there are other hosts in

vlan 10 some of which are connected to Cat-1 and some of which are
connected to Cat-2.

Cat-1 is configured to support ip routing and is connected to Cat-2 by a
trunk which allows all vlan's.

If I configure the following vlan map, will this prevent all access to
the payroll server except from

hosts a, b and c?

access-list 1 permit host a
access-list 1 permit host b
access-list 1 permit host c

vlan access-map PAYROLL
match ip address 1
action forward

vlan filter PAYROLL vlan-list 10

TIA, Tim

• Next message: Brian McGahan: "RE: Can I do dial-on-demand on 2 aux ports?"
• Previous message: ccie2be: "Re: vlan maps and trunks"
• Maybe in reply to: ccie2be: "vlan maps and trunks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 03 2005 - 10:31:29 GMT-3