[c-nsp] access list - vlan-access-map
Vikas Sharma
vikassharmas at gmail.com
Mon Apr 10 01:18:33 EDT 2006
Hi,
Some issue with access-list.
To stop spurious packets on the network we have blocked port 135-139, port
445 etc. For this we have put access list like,
access-list 110 deny tcp any any eq 135
access-list 110 deny udp any any eq 135
access-list 110 deny tcp any any eq 136
access-list 110 deny udp any any eq 136
access-list 110 deny tcp any any eq 137
and created vlan 20 and configured access-group
ip access-group 110 in
ip access-group 110 out
My bjective is to stop spurious packets not to enter or go out of VLAN 20.
VLAN 20 has few ports defined as a part of it.
Still when I run ethereal (this is on dialup) It spurious packets. My switch
ports are configured in layer two. Is it the reason, on layer two I am using
IP access-list thus my packets are not getting filtered?
I have also though of using vlan-access-map to stop the packets
communicating in VLAN 20 on those particular port and I am sure I will be
able to receive the desired result.
Just wanted to confirm, IP access-list will not work on layer two ports
(switchport). I need to implement vlan-access-map.
Regards
Vikas Sharma
More information about the cisco-nsp
mailing list