Re: 3550 ACL's ..

From: Mohammed Khasawneh (mohammed.khasawneh@gmail.com)
Date: Mon Sep 18 2006 - 04:01:58 ART

• Next message: Leigh Harrison: "Re: when do we need to redistribute connected"
• Previous message: loke: "Re: CCIE #16755"
• Maybe in reply to: 2nd CCIE: "3550 ACL's .."
• Next in thread: Sam Lai: "RE: 3550 ACL's .."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dears
Based on the DOC the configuration will be as the following ( assuming that
the hosts and the server are in the same subnet )

vlan access-map deny-icmp 1
 action forward
 match ip address 150
vlan access-map deny-icmp 2
 action drop
 match ip address 151

vlan filter deny-icmp vlan-list 6

access-list 150 permit tcp any any
access-list 150 permit udp any any
access-list 151 permit icmp any host 10.10.16.100

It will work !

note ( if you want to apply this policy from traffic sourced from other VLAN
you have to use RACL on the VLAN 6 interface ).

Rregards

Khasawneh

----- Original Message -----
From: "2nd CCIE" <doubleccie@yahoo.com>
To: <security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Saturday, September 16, 2006 8:47 PM
Subject: 3550 ACL's ..

> Folks ;
> i have a trouble trying to do simple configuration on the 3550 .
> i have server connected to 3550 on port f0/11 .
>
> all i want to do is to deny the icmp to this server and allow everything
> else .
> although it looks something easy ..it does not work with me
>
> here is my configuration
>
> !
> interface FastEthernet0/11
> switchport access vlan 16
> switchport mode dynamic desirable
> ip access-group 101 in
> !
> !
> access-list 101 deny icmp any host 10.10.16.100
> access-list 101 permit ip any any
> !
>
> with this configuration ..i still can ping the server from anywhere ...i
> tried to apply the ACL on the interface vlan 16 ..nothing changed .
>
> if i remove the second entry of the ACL (basically deny everything ) ..it
> works
>
> but i need to the communication to the server ..only the ping i want to
> disable ...
>
> what am i missing here ?
>
>
> thanks
>
>
>
> ---------------------------------
> How low will we go? Check out Yahoo! Messengers low PC-to-Phone call
> rates.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Leigh Harrison: "Re: when do we need to redistribute connected"
• Previous message: loke: "Re: CCIE #16755"
• Maybe in reply to: 2nd CCIE: "3550 ACL's .."
• Next in thread: Sam Lai: "RE: 3550 ACL's .."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART