Re: [nsp] Access lists and uplink-redirect

From: Routing Junkie (ip_plumber@yahoo.com)
Date: Thu Jul 12 2001 - 12:52:28 EDT


Your configuration does not make sense. Your access
list is permitting two stations on the same subnet to
talk, but the addressing on that port is not in the
same subnet, nor is that GE port in any of your bridge
groups. Where those servers live is also unclear.

I would first like to state that after a brief glance,
you appear to have a bad design. However it would
require more visibility into the network to confirm
that.

You may want to try the following ACL:

ip access-list extended telnet
permit tcp any any established
permit tcp host 212.101.75.10 host 212.101.75.2 eq
telnet

You may even need to add a "permit ip any any" at the
end, depending on where everything lives at. Also
depending on what you mean by "all traffic is
blocked".

Remember, at the end of every access-list, there is an
implicit "deny any any"

Hope this helps.....

--- Gabriel Sanchez <gsanchez@servicom2000.com> wrote:
> 2 VLANs (Bridge-group 9 and 10)
>
> *-------- 2948G-L3 -----------* --Gbit-- *-------
> 4908G-L3 -----------*
>
>
> 2948G-L3 config
>
> ....
>
> ip uplink-redirect
>
> bridge irb
>
> !
>
> ....
>
> interface FastEthernet1
>
> no ip address
>
> no ip directed-broadcast
>
> no cdp enable
>
> bridge-group 9
>
> bridge-group 9 spanning-disabled
>
> !
>
> ....
>
> interface FastEthernet7
>
> no ip address
>
> no ip directed-broadcast
>
> no cdp enable
>
> bridge-group 10
>
> bridge-group 10 spanning-disabled
>
> !
>
> ....
>
> interface GigabitEthernet49
>
> ip address 192.168.20.253 255.255.255.252
>
> ip access-group telnet in
>
> no ip directed-broadcast
>
> no cdp enable
>
> !
>
> ....
>
> ip classless
>
> ip route 0.0.0.0 0.0.0.0 192.168.20.254
>
> !
>
> ......
>
> ip access-list extended telnet
>
> permit tcp host 212.101.75.10 host 212.101.75.2 eq
> telnet
>
> As you can see in the previous config, I have to
> communicate two VLANs in a 2948G-L3 working in an
> "uplink-redirect" environment with a 4908G-L3 as
> router.
>
> All works fine; a ping goes from a VLAN in the 2948,
> to the uplink address in the 4908G and return again
> to the other VLAN in the 2948, but as soon as I
> apply the ACL "telnet" to the interface Giga 49 in
> the 2948, as you can see in the configuration, I
> can't communicate between the two VLANs. Although
> the ACL is a "permit", all the traffic is blocked.
>
> Has anyone installed access-lists in this kind of
> environment.
>
> I'll appreciate any help.
>
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system
> (http://www.grisoft.com).
> Version: 6.0.263 / Virus Database: 135 - Release
> Date: 22/06/01
>
> > BEGIN:VCARD
> VERSION:2.1
> N:Sanchez Jimenez;Gabriel
> FN:Gabriel Sanchez Jimenez
> ORG:Servicom 2000;Ingenieria de Red
> TEL;WORK;VOICE:(34) 963321200
> TEL;WORK;FAX:(34) 963321201
> ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Primado Reig,
> 189, Entresuelo=0D=0A;Valencia;;46020;Spain
> LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Primado Reig,
> 189, Entresuelo=0D=0A=0D=0AValencia 46020=0D=0ASpain
> URL;WORK:http://servicom2000.com
> EMAIL;PREF;INTERNET:gsanchez@servicom2000.com
> REV:20010712T125713Z
> END:VCARD
>

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:44 EDT