Cisco Access list to Alcatel QoS

[kent2612]

Hi,

Thanks in advanced. I need help on Alcatel equavalent commands for these Cisco ACL below. It should deny all other traffic which are not allow.

interface FastEthernet0/0
ip access-group 100 out

access-list 100 permit ip 172.23.0.0 0.0.0.255 10.10.10.0 0.0.0.255

interface FastEthernet0/1
ip access-group 101 in

access-list 101 permit tcp any host 192.168.1.100 eq ftp

[one6f]

Hi,
attached are some samples to get started. Here is a ftp example.

[kent2612]

Hi one6f,

Still didn't managed to get it working as I was trying to allow only specific ip addresses that should be allow to pass through the switch. For example I will only allow 2 ip addresses in vlan 10 and 2 ip addresses in vlan 20 on the same switch.

[one6f]

Here is an example.
Do you want to allow 2 ip addresses in vlan10 to communicate with 2 ip addresses in vlan 20 and any others do deny? For example 10.10.10.11 and 10.10.10.12 need to communicate with 10.10.20.11 and 10.10.20.12 and vice versa, but any others to these 4 ip addresses will be blocked except for default gateways??

[one6f]

here is a sample to allow only 2 ip addresses in vlan 10 to communicate with vlan 20 (10.10.20.0/24) and deny all others:

Code: Select all

qos enable
policy network group vl10  10.10.10.11 10.10.10.12 
policy network group vl20  10.10.20.0 mask 255.255.255.0  
policy condition any_vl20 source ip Any destination network group vl20 
policy condition vl10_vl20 source network group vl10 destination network group vl20 
policy condition vl20_any source network group vl20 destination ip Any 
policy condition vl20_vl10 source network group vl20 destination network group vl10 
policy action allow 
policy action deny disposition deny 
policy rule vl20_vl10 precedence 130 condition vl20_vl10 action allow 
policy rule vl10_vl20 precedence 120 condition vl10_vl20 action allow 
policy rule any_vl20 precedence 110 condition any_vl20 action deny 
policy rule vl20_any precedence 100 condition vl20_any action deny 
qos apply

[kent2612]

I have another requirement where 2 remote hosts 172.23.16.1 and 172.23.16.2 need to managed my switch (on another segment 192.168.1.1) via ssh and also manages my firewall connected to the switch(192.168.1.2) via https.

1) Can the ACL be apply on the incoming interface from Remote hosts to Switch (192.168.1.1) where only ssh and https is allow?
2) It should not affect other incoming and outgoing traffic on the switch.

Thanks in advanced as I am not sure how the ACL work whereby not affecting other traffic while still restrict hosts 172.23.16.1 & 172.23.16.2 access to the switch and firewall via only ssh & https service port.

[one6f]

1) Can the ACL be apply on the incoming interface from Remote hosts to Switch (192.168.1.1) where only ssh and https is allow?

You can build ingress and egress rules, there are build-in policies such as switch network group or policy Port Groups Slot01,Slot02....
Please refer to Network Configuration Guide for details.

2) It should not affect other incoming and outgoing traffic on the switch.

?
please have a look at following example, where 172.23.16.2 is a management ip to access to 192.168.1.1 (is an ip interface on 6850) through ssh and 192.168.1.2 through http:

Code: Select all

qos enable
qos log console  
policy service http source tcp port 80 
policy service ssh destination tcp port 22 
policy service group http_services  http  
policy service group ssh_services  ssh  

policy network group fw  192.168.1.2  
policy network group switch  192.168.1.1  
policy network group vl10  172.23.16.2  

policy condition any_fw source ip Any destination network group fw 
policy condition any_switch source ip Any destination network group switch 
policy condition any_vl10 source ip Any destination network group vl10 
policy condition fw_vl10_http source network group fw destination network group vl10 established  
policy condition switch_vl10_ssh source network group switch destination network group vl10 established  
policy condition vl10_fw_http source network group vl10 destination network group fw service group http_services 
policy condition vl10_switch_ssh source network group vl10 destination network group switch service group ssh_services 

policy action deny disposition deny 
policy action permit 

policy rule switch_vl10_ssh condition switch_vl10_ssh action permit log  
policy rule vl10_switch_ssh condition vl10_switch_ssh action permit log  
policy rule fw_vl10_http condition fw_vl10_http action permit log  
policy rule vl10_fw_http condition vl10_fw_http action permit log  
policy rule any_vl10 condition any_vl10 action deny log  
policy rule any_switch condition any_switch action deny log  
policy rule any_fw condition any_fw action deny log  
qos apply

You can 'play' with it such you have the logging on the console (qos log console) and you can see what is allowed and what is denied (log-keyword in policy rules)

[kent2612]

2) It should not affect other incoming and outgoing traffic on the switch.

As the incoming port to the switch is not only use for management via ssh & http, in other words it is in-band management:
1) Therefore all other layer 2 or layer 3 traffic should still be able to route through the switch, traffic can still be routed out via the default route that was configured,
2) the switch should still be able to send logs to the syslog server and send snmp to the NMS, etc.....