RE: VLAN Access Control
From: Gupta, Gopal (NWCC) (gopal.gupta@hp.com)
Date: Sat Jan 12 2008 - 05:57:31 ARST
Hi Abou,
Just make it more simple lets see
ip access-list extended ACL-V permit tcp 172.16.10.0 0.0.0.255
192.168.106.00.0.0.255 eq www ------ >This is what we have to deny
vlan access-map ccie 10
match ip address ACL-V
action drop
Vlan access-map ccie 20
action forward ----------------->whether WWW or any IP Traffic that will
be permitted.
Vlan filter ccie vlan-list 200
How about it ????
HTH
Gops
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Abou-3alaa Abou-3alaa
Sent: Thursday, January 10, 2008 15:18
To: ccielab@groupstudy.com
Subject: VLAN Access Control
Importance: Low
am a littke confused about this Config:
VLAN Access ControlConfigure an ACL with name �ACL-V� to obtain the
following
requirements:-- Deny Web Traffic from 172.16.10.0/24 to Subnet
192.168.106.0-
Permit Web Traffic from 172.16.0.0/8 to Subnet 192.168.106.0- Permit Any
Other
ip traffic from your Rack to Subnet 192.168.106.0Do not Use deny
Statements,
use only PERMIT statements.(192.168.106.0 is VLAN_200)
ip access-list extended ACL-V permit tcp 172.16.10.0 0.0.0.255
192.168.106.00.0.0.255 eq www
ip access-list extended ACL-VV permit tcp 172.16.0.0 0.255.255.255
192.168.106.0 0.0.0.255 eq www
permit ip any 192.168.106.0 0.0.0.255
vlan access-map ccie 10
match ip address ACL-V
action drop
Vlan access-map ccie 20
match ip address ACL-VV
action forward
vlan filter ccie vlan-list 200
THIS Config Works and met the Required
what Narbik Suggest?
Rgds
This archive was generated by hypermail 2.1.4
: Fri Feb 01 2008 - 10:37:59 ARST