[cisco-bba] isolate virtual access interfaces
Tassos Chatzithomaoglou
achatz at forthnet.gr
Thu Jul 6 14:58:03 EDT 2006
Something else too...
If the vtemplate gets its ips from 192.168.1.0/24, would there be any actual difference between the
following two:
1)
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any
int virtual-template 100
ip access-group 100 out
2)
access-list 100 deny ip any 192.168.1.0 0.0.0.255
access-list 100 permit ip any any
int virtual-template 100
ip access-group 100 in
Tassos Chatzithomaoglou wrote on 6/7/2006 21:32:
>
>
> Arie Vayner wrote on 6/7/2006 20:33:
>> Tassos,
>>
>> A few ideas:
>>
>> 1. Configure an ACL in the vtemplate blocking all egress traffic with
>> sources from the forbidden range.
>>
>
> That seems an easy one.
> I still wonder why i didn't think of this one before.
>
> Thanks Arie ;)
>
> --
> Tassos
>
>> 2. Configure a route-map for all traffic received over the ppp
>> sessions, pointing all the traffic to an upstream firewall (which is
>> next-hop of the LNS), and apply a similar policy as (1).
>>
>> Arie
>> CCIE#12198
>>
>> On 7/6/06, Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote:
>>> Is there an easy way of making all the vpdn sessions terminating
>>> under a common vtemplate (through
>>> l2tp) not to be able to see each other (but continue to have access
>>> to everywhere else)?
>>>
>>> --
>>> Tassos
>>> _______________________________________________
>>> cisco-bba mailing list
>>> cisco-bba at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-bba
>>>
>>
>
>
--
***************************************
Tassos Chatzithomaoglou
Network Design & Development Department
FORTHnet S.A.
<achatz at forthnet.gr>
***************************************
More information about the cisco-bba
mailing list