[c-nsp] OT: ACLs Cisco 2800 to Switch 3Com 5500
Jorge Evangelista
netsecuredata at gmail.com
Wed Nov 14 11:49:17 EST 2007
Hi list,
I have enabled routing in my corporate switch, I had configured a
cisco 2800 from my ISP doing intervlan and I have moved VLANs of
corporation to my switch 3COM 5550G, but actually I have had some
issues putting ACLs, I have got block only traffic for VLAN 40, it
works fine, but for vlan 35 ACL does not run, with ACL 3035 PCs can
not reach any host of my servers (vlan 30) . Can anyone help me with
this configuration, thanks in advance.
-------------------------------------------------------------------------------------------------------------------
Cisco 2800 / Old Configuration
interface FastEthernet0/0.1
description VLAN 01
encapsulation dot1Q 1 native
ip address 192.168.30.1 255.255.255.0
ip access-group VLAN1-IN in
!
interface FastEthernet0/0.35
description VLAN 35
encapsulation dot1Q 35
ip address 192.168.35.1 255.255.255.0
ip access-group VLAN35-IN in
ip helper-address 192.168.30.6
!
interface FastEthernet0/0.40
description VLAN 40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip access-group VLAN40-IN in
ip access-list extended VLAN1-IN
remark Permit Access to corporate Servers
permit ip host 192.168.30.7 192.168.35.0 0.0.0.255
permit ip host 192.168.30.8 192.168.35.0 0.0.0.255
permit ip host 192.168.30.13 192.168.35.0 0.0.0.255
permit ip host 192.168.30.5 192.168.35.0 0.0.0.255
permit ip host 192.168.30.6 192.168.35.0 0.0.0.255
deny ip any 192.168.35.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
permit ip any any
ip access-list extended VLAN35-IN
remark Permit Access to corporate Servers
permit ip any host 192.168.30.13
permit ip any host 192.168.30.5
permit ip any host 192.168.30.6
permit ip any host 192.168.30.7
permit ip any host 192.168.30.8
deny ip any 192.168.30.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
permit ip any any
ip access-list extended VLAN40-IN
deny ip any 192.168.30.0 0.0.0.255
deny ip any 192.168.35.0 0.0.0.255
permit ip any any
!
------------------------------------------------------------------------------------------------------------------------
3COM 5500G
acl number 3040
rule 1 deny ip dest 192.168.30.0 0.0.0.255
rule 2 deny ip dest 192.168.35.0 0.0.0.255
acl number 3035
rule 1 permit ip destination 192.168.30.13 0
rule 2 permit ip destination 192.168.30.5 0
rule 3 permit ip destination 192.168.30.6 0
rule 4 permit ip destination 192.168.30.7 0
rule 5 permit ip destination 192.168.30.8 0
rule 6 deny ip dest 192.168.30.0 0.0.0.255
rule 7 deny ip dest 192.168.40.0 0.0.0.255
interface Vlan-interface1
ip address 192.168.50.5 255.255.255.252
ip address 192.168.30.1 255.255.255.0 sub
#
interface Vlan-interface35
ip address 192.168.35.1 255.255.255.0
udp-helper server 192.168.30.6
#
interface Vlan-interface40
ip address 192.168.40.1 255.255.255.0
#
interface GigabitEthernet1/0/3
stp edged-port enable
broadcast-suppression pps 3000
port access vlan 40
packet-filter inbound ip-group 3040 rule 1
packet-filter inbound ip-group 3040 rule 2
undo jumboframe enable
apply qos-profile default
#
interface GigabitEthernet1/0/4
stp edged-port enable
broadcast-suppression pps 3000
port access vlan 40
packet-filter inbound ip-group 3040 rule 1
packet-filter inbound ip-group 3040 rule 2
undo jumboframe enable
apply qos-profile default
#
interface GigabitEthernet1/0/5
stp edged-port enable
broadcast-suppression pps 3000
port access vlan 35
packet-filter inbound ip-group 3035 rule 1
packet-filter inbound ip-group 3035 rule 2
packet-filter inbound ip-group 3035 rule 3
packet-filter inbound ip-group 3035 rule 4
packet-filter inbound ip-group 3035 rule 5
packet-filter inbound ip-group 3035 rule 6
packet-filter inbound ip-group 3035 rule 7
broadcast-suppression pps 3000
undo jumboframe enable
apply qos-profile default
#
--
"The network is the computer"
More information about the cisco-nsp
mailing list