[c-nsp] access list - vlan-access-map...no reply!!!

Vikas Sharma vikassharmas at gmail.com
Tue Apr 11 01:22:45 EDT 2006


On 4/10/06, Vikas Sharma <vikassharmas at gmail.com> wrote:
>
>  Hi,
>
> Some issue with access-list.
>
> To stop spurious packets on the network we have blocked port 135-139, port
> 445 etc. For this we have put  access list like,
>
> access-list 110 deny   tcp any any eq 135
> access-list 110 deny   udp any any eq 135
> access-list 110 deny   tcp any any eq 136
> access-list 110 deny   udp any any eq 136
> access-list 110 deny   tcp any any eq 137
>
> and created vlan 20 and configured access-group
> ip access-group 110 in
> ip access-group 110 out
>
> My bjective is to stop spurious packets not to enter or go out of VLAN 20.
> VLAN 20 has few ports defined as a part of it.
>
> Still when I run ethereal (this is on dialup) It spurious packets. My
> switch ports are configured in layer two. Is it the reason, on layer two I
> am using IP access-list thus my packets are not getting filtered?
>
> I have also though of using vlan-access-map to stop the packets
> communicating in VLAN 20 on those particular port and I am sure I will be
> able to receive the desired result.
>
> Just wanted to confirm, IP access-list will not work on layer two ports
> (switchport). I need to implement vlan-access-map.
>
> Regards
> Vikas Sharma
>
>
>


More information about the cisco-nsp mailing list