We have a router with 4 switches connected via fiber in this situation. Each port has its own VLAN and ACL. In some instances we have people that want us to strictly provide a feed and make them wide open. Before, we just moved their public IP address to the top of the ACL and permit any. We also mapped static public to private. They would be able to be wide open that way. Now, we can not figure out how to get the user wide open. Take 0/0.47 for instance. Their router is 10.0.11.130 and we gave it a static IP. We can not get them wide open on that IP address while still maintaining security horizontally. I have attached our config. Please help...
We used to have the same setup with a different configuration. We had Access-List 101 and it defined all of the open ports and what not. We had it defined on the main interface and every VLAN used that same Access-List. So, if we opened port 995 for one person, the whole complex had that port open. So, we tried it a different route by setting up each VLAN with their own access-list. We want them to not be able to see horizontally but be able to get to the internet which is what the access-list is allowing right now for each VLAN.
The problem is that we have had a few people ask us to give them a wide open feed. Before, we would map a static private to a public address and use
access-list 101 permit ip and host xx.xx.xx.xx (Public IP Address). We would put that at the top of the ACL. Now, when we put that it makes no difference. Nothing opens up differently. Fo ex.
access-list 2147 permit ip any host xxx.xx.xx.xx (Public IP Address). I will try using the private like you did there and see if it proves to work (I PRAY!)
Let me know what you think...I will update you if this works though.
if you type "debug interface fas 0/0.47" to specify only that interface, then "debug ip access-list" make sure you're logging to buffer (or a syslog server), set the buffer to at least 16384 so you get some good info and if it's not already set, set the time and use the command "service sequence-numbers" so that we can see when these things occur.
The acl that is on the interface should already be letting the address through, so it would suggest that something else is stopping it. Can you post a quick diagram too? So that I can see the nodes in the path?
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...