[c-nsp] access list - vlan-access-map...no reply!!!
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Tue Apr 11 01:58:03 EDT 2006
>>
>> To stop spurious packets on the network we have blocked port
>> 135-139, port 445 etc. For this we have put access list like,
>>
>> access-list 110 deny tcp any any eq 135
>> access-list 110 deny udp any any eq 135
>> access-list 110 deny tcp any any eq 136
>> access-list 110 deny udp any any eq 136
>> access-list 110 deny tcp any any eq 137
>>
>> and created vlan 20 and configured access-group
>> ip access-group 110 in
>> ip access-group 110 out
>>
>> My bjective is to stop spurious packets not to enter or go out of
>> VLAN 20. VLAN 20 has few ports defined as a part of it.
>>
>> Still when I run ethereal (this is on dialup) It spurious packets. My
>> switch ports are configured in layer two. Is it the reason, on layer
>> two I am using IP access-list thus my packets are not getting
>> filtered?
>>
>> I have also though of using vlan-access-map to stop the packets
>> communicating in VLAN 20 on those particular port and I am sure I
>> will be able to receive the desired result.
>>
>> Just wanted to confirm, IP access-list will not work on layer two
>> ports (switchport). I need to implement vlan-access-map.
which switch model/platform are you using?
Putting an IP access-list on a SVI (VlanXX) will not stop communication
within the vlan, it will only limit the traffic routed via the SVI
from/to Vlan 20.
To filter on Layer 2, you usually need mac access-lists, but I think
this depends on what type of switch you're using..
oli
More information about the cisco-nsp
mailing list