[c-nsp] access list - vlan-access-map...no reply!!!

Vikas Sharma vikassharmas at gmail.com
Tue Apr 11 03:14:22 EDT 2006 

Thanks Oliver,

I am using cat 6509 switches. Since I am in a CDMA network dial-up, it will
be difficult for me to use mac access-list as lots of people are dialing in
to my network. Moreover I do not want to stop all communication in the VLAN,
I just wanted to stop packets on ports 135-139, 445 etc. Can VLAN-access-map
help me to achieve the goal?

Thanks
Vikas Sharma


On 4/11/06, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
>
>
>
>
> >>
> >> To stop spurious packets on the network we have blocked port
> >> 135-139, port 445 etc. For this we have put  access list like,
> >>
> >> access-list 110 deny   tcp any any eq 135
> >> access-list 110 deny   udp any any eq 135
> >> access-list 110 deny   tcp any any eq 136
> >> access-list 110 deny   udp any any eq 136
> >> access-list 110 deny   tcp any any eq 137
> >>
> >> and created vlan 20 and configured access-group
> >> ip access-group 110 in
> >> ip access-group 110 out
> >>
> >> My bjective is to stop spurious packets not to enter or go out of
> >> VLAN 20. VLAN 20 has few ports defined as a part of it.
> >>
> >> Still when I run ethereal (this is on dialup) It spurious packets. My
> >> switch ports are configured in layer two. Is it the reason, on layer
> >> two I am using IP access-list thus my packets are not getting
> >> filtered?
> >>
> >> I have also though of using vlan-access-map to stop the packets
> >> communicating in VLAN 20 on those particular port and I am sure I
> >> will be able to receive the desired result.
> >>
> >> Just wanted to confirm, IP access-list will not work on layer two
> >> ports (switchport). I need to implement vlan-access-map.
>
> which switch model/platform are you using?
>
> Putting an IP access-list on a SVI (VlanXX) will not stop communication
> within the vlan, it will only limit the traffic routed via the SVI
> from/to Vlan 20.
> To filter on Layer 2, you usually need mac access-lists, but I think
> this depends on what type of switch you're using..
>
>        oli
>

More information about the cisco-nsp mailing list