RE: 3550 ACL's ..

From: Sam Lai (LaiS@transnet.com)
Date: Mon Sep 18 2006 - 10:27:59 ART

• Next message: Jung-I Lin: "Re: BGP confederations"
• Previous message: Danshtr: "Re: BGP through pix"
• Maybe in reply to: 2nd CCIE: "3550 ACL's .."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dear Mohammed,

This is a great trick. Thanks. :) It is a great alternative of
"switchport protected" interface command and it is more flexible with
what you can control with the traffic pattern.

I assume, however, what 2nd want to accomplish is to deny (all or
certain) traffic until the user authenticated (of any kind?) per port
basis. That's why he tried lock_n_key to begin with.

I have never mixed vlan access-map with dynamic access-list together.
But I doubt it would work because that lock_n_key works only when ACL
applied to Routed Interface. Anyway I may give it a try by placing the
ACL in the VLAN SVI and see. Or someone interested and tell us a story
after the experiment?

Thanks.

Sam

Sam Lai, CCIE CISSP

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Mohammed Khasawneh
Sent: Monday, September 18, 2006 3:02 AM
To: 2nd CCIE; security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: 3550 ACL's ..

Dears
Based on the DOC the configuration will be as the following ( assuming
that
the hosts and the server are in the same subnet )

vlan access-map deny-icmp 1
 action forward
 match ip address 150
vlan access-map deny-icmp 2
 action drop
 match ip address 151

vlan filter deny-icmp vlan-list 6

access-list 150 permit tcp any any
access-list 150 permit udp any any
access-list 151 permit icmp any host 10.10.16.100

It will work !

note ( if you want to apply this policy from traffic sourced from other
VLAN
you have to use RACL on the VLAN 6 interface ).

Rregards

Khasawneh

----- Original Message -----
From: "2nd CCIE" <doubleccie@yahoo.com>
To: <security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Saturday, September 16, 2006 8:47 PM
Subject: 3550 ACL's ..

> Folks ;
> i have a trouble trying to do simple configuration on the 3550 .
> i have server connected to 3550 on port f0/11 .
>
> all i want to do is to deny the icmp to this server and allow
everything
> else .
> although it looks something easy ..it does not work with me
>
> here is my configuration
>
> !
> interface FastEthernet0/11
> switchport access vlan 16
> switchport mode dynamic desirable
> ip access-group 101 in
> !
> !
> access-list 101 deny icmp any host 10.10.16.100
> access-list 101 permit ip any any
> !
>
> with this configuration ..i still can ping the server from anywhere
...i
> tried to apply the ACL on the interface vlan 16 ..nothing changed .
>
> if i remove the second entry of the ACL (basically deny everything )
..it
> works
>
> but i need to the communication to the server ..only the ping i want
to
> disable ...
>
> what am i missing here ?
>
>
> thanks
>
>
>
> ---------------------------------
> How low will we go? Check out Yahoo! Messengers low PC-to-Phone call

> rates.
>
>

• Next message: Jung-I Lin: "Re: BGP confederations"
• Previous message: Danshtr: "Re: BGP through pix"
• Maybe in reply to: 2nd CCIE: "3550 ACL's .."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:40 ART