From: Djerk Geurts (djerk@djerk.nl)
Date: Tue Jul 24 2007 - 20:36:55 ART
My reasoning would be that if you block all traffic to the server
(destination port 80) then there will be no return traffic with source port
80. Hence "permit tcp any any eq www" would do fine. Any packet traversing
the vlan will be matched checked whether it's desitnation is port tcp:80.
I don't think the question whether the switch applies the VACL at interface
ingress or egress is relevant. Please correct me if I'm wrong.
Djerk
> -----Original Message-----
> From: Brandon Smithson [mailto:thesmithsons@verizon.net]
> Sent: woensdag 25 juli 2007 1:06
> To: 'Djerk Geurts'; 'Cisco certification'
> Subject: RE: Vlan access-map
>
> Isn't a vlan filter not bound to a direction. So you would add:
> Permit tcp any eq www any
>
> ??
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> Djerk Geurts
> Sent: Tuesday, July 24, 2007 3:15 PM
> To: 'Cisco certification'
> Subject: Vlan access-map
>
> Hi everyone,
>
> Just going over my notes and was reminded of the following config:
>
> Allow only http on a VLAN
>
> vlan access-map only-http 10
> action forward
> match ip address http
> !
> ip access-list extended http
> permit tcp any any eq www
> !
> vlan filter only-http vlan-list 11
>
>
> Now is this the best way to apply an ACL to a vlan or should
> an interface
> ACL be used. In my head I'd say the above if L3 inspection of
> a L2 vlan is
> the objective. This as one can apply the ACL to the vlan
> without applying it
> to a vlan interface which imho is L3 (bar bridging and MPLS
> configurations).
>
> Is my recap correct?
>
> --
> Djerk
> www.djerk.nl
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:41 ART