[c-nsp] access list - vlan-access-map...no reply!!!

Tim Stevenson tstevens at cisco.com
Tue Apr 11 10:58:39 EDT 2006


At 12:14 AM 4/11/2006, Vikas Sharma averred:
>Thanks Oliver,
>
>I am using cat 6509 switches. Since I am in a CDMA network dial-up, it will
>be difficult for me to use mac access-list as lots of people are dialing in
>to my network. Moreover I do not want to stop all communication in the VLAN,
>I just wanted to stop packets on ports 135-139, 445 etc. Can VLAN-access-map
>help me to achieve the goal?

Yes, VACLs filter bridged (as well as routed) traffic based on L3/L4 
information - you don't need to know the MACs.

Tim


>Thanks
>Vikas Sharma
>
>
>On 4/11/06, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> >
> >
> >
> >
> > >>
> > >> To stop spurious packets on the network we have blocked port
> > >> 135-139, port 445 etc. For this we have put  access list like,
> > >>
> > >> access-list 110 deny   tcp any any eq 135
> > >> access-list 110 deny   udp any any eq 135
> > >> access-list 110 deny   tcp any any eq 136
> > >> access-list 110 deny   udp any any eq 136
> > >> access-list 110 deny   tcp any any eq 137
> > >>
> > >> and created vlan 20 and configured access-group
> > >> ip access-group 110 in
> > >> ip access-group 110 out
> > >>
> > >> My bjective is to stop spurious packets not to enter or go out of
> > >> VLAN 20. VLAN 20 has few ports defined as a part of it.
> > >>
> > >> Still when I run ethereal (this is on dialup) It spurious packets. My
> > >> switch ports are configured in layer two. Is it the reason, on layer
> > >> two I am using IP access-list thus my packets are not getting
> > >> filtered?
> > >>
> > >> I have also though of using vlan-access-map to stop the packets
> > >> communicating in VLAN 20 on those particular port and I am sure I
> > >> will be able to receive the desired result.
> > >>
> > >> Just wanted to confirm, IP access-list will not work on layer two
> > >> ports (switchport). I need to implement vlan-access-map.
> >
> > which switch model/platform are you using?
> >
> > Putting an IP access-list on a SVI (VlanXX) will not stop communication
> > within the vlan, it will only limit the traffic routed via the SVI
> > from/to Vlan 20.
> > To filter on Layer 2, you usually need mac access-lists, but I think
> > this depends on what type of switch you're using..
> >
> >        oli
> >
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/



Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Catalyst 6500
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


More information about the cisco-nsp mailing list