[cisco-bba] isolate virtual access interfaces

Tassos Chatzithomaoglou achatz at forthnet.gr
Thu Jul 6 14:58:03 EDT 2006


Something else too...
If the vtemplate gets its ips from 192.168.1.0/24, would there be any actual difference between the 
following two:

1)
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any

int virtual-template 100
  ip access-group 100 out

2)
access-list 100 deny ip any 192.168.1.0 0.0.0.255
access-list 100 permit ip any any

int virtual-template 100
  ip access-group 100 in


Tassos Chatzithomaoglou wrote on 6/7/2006 21:32:
> 
> 
> Arie Vayner wrote on 6/7/2006 20:33:
>> Tassos,
>>
>> A few ideas:
>>
>> 1. Configure an ACL in the vtemplate blocking all egress traffic with
>> sources from the forbidden range.
>>
> 
> That seems an easy one.
> I still wonder why i didn't think of this one before.
> 
> Thanks Arie ;)
> 
> -- 
> Tassos
> 
>> 2. Configure a route-map for all traffic received over the ppp
>> sessions, pointing all the traffic to an upstream firewall (which is
>> next-hop of the LNS), and apply a similar policy as (1).
>>
>> Arie
>> CCIE#12198
>>
>> On 7/6/06, Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote:
>>> Is there an easy way of making all the vpdn sessions terminating 
>>> under a common vtemplate (through
>>> l2tp) not to be able to see each other (but continue to have access 
>>> to everywhere else)?
>>>
>>> -- 
>>> Tassos
>>> _______________________________________________
>>> cisco-bba mailing list
>>> cisco-bba at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>>
>>
> 
> 

-- 
***************************************
         Tassos Chatzithomaoglou
Network Design & Development Department
              FORTHnet S.A.
          <achatz at forthnet.gr>
***************************************


More information about the cisco-bba mailing list