Lexa Software: Inet-Admins@info.east.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: Inet-Admins

Inet-Admins mailing list archive (inet-admins@info.east.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[inet-admins] IEEE 802.1Q-in-Q VLAN termination

To: inet-admins@xxxxxxxxxxxx
Subject: [inet-admins] IEEE 802.1Q-in-Q VLAN termination
From: blny@xxxxxx
Date: Mon, 3 Jul 2006 10:45:34 +0400

Всем, добрый день

Ну снимите плеазе с тормоза

Есть c7507, IOS rsp-pv-mz.120-31.S2.bin

Не работают ACL на интерфейсе

interface FastEthernet0/1/0.64
  encapsulation dot1Q 502 second-dot1q 64
  ip address 10.0.0.1 255.255.255.252
  ip access-group clients-firewall-in in
  ip verify unicast reverse-path
  no ip directed-broadcast
  no cdp enable
       
Нашел в доке (правда описывается 10K)

Смущают - подчеркнутые ниже строки

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0f4a.html#wp1043334

Security ACL Application on the Cisco 10000 Series Router

The IEEE 802.1Q-in-Q VLAN Tag Termination feature provides limited
security access control list (ACL) support for PPPoEoQ-in-Q
subinterfaces for the Cisco 10000 series router. 
There are no ACL restrictions on subinterfaces configured with IPoQ-in-Q.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you apply an ACL to PPPoE traffic on a Q-in-Q subinterface in a VLAN,
apply the ACL directly on the PPPoE session, using virtual access
interfaces (VAIs) or RADIUS attribute 11 or 242.

You can apply ACLs to virtual access interfaces by configuring them
under virtual template interfaces. You can also configure ACLs by using
RADIUS attribute 11 or 242. When you use attribute 242, a maximum of
30,000 sessions can have ACLs.

ACLs that are applied to the VLAN Q-in-Q subinterface have no effect and
are silently ignored. In the following example, ACL 1 that is applied to
the VLAN Q-in-Q subinterface level will be ignored:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Router(config)# interface FastEthernet3/0/0.100
Router(config-subif)# encapsulation dot1q 100 second-dot1q 200
Router(config-subif)# ip access-group 1

Что тогда Cisco считает VLAN Q-in-Q subinterface ?

Я так понял что есть PPPoEoQ-in-Q - с разрещенным pppoe - там нужно
вешать на VAI и есть IPoQ-in-Q - c присвоеным IP

ACL вроде как вешается

c7507# sh ip int FastEthernet0/1/0.64 | i access
  Outgoing access list is not set
  Inbound  access list is clients-firewall-in
  IP access violation accounting is disabled
  
Этот же ACL - просто на VLAN subinterface - работает

Заранее спасибо

--
Blinov A. Sergey

=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@xxxxxxxxxxxx if you want to quit.
Archive is accessible on http://info.east.ru/rus/inetadm.html

Prev by Date: Re: [inet-admins] оплата за траф ик
Next by Date: Re: [inet-admins] оплата за трафик
Previous by thread: [inet-admins] оплата за трафик
Next by thread: [inet-admins] virtual machines again
Index(es):
- Date
- Thread