Page 1 of 1
Cisco Access list to Alcatel QoS
Posted: 09 Sep 2012 23:55
by kent2612
Hi,
Thanks in advanced. I need help on Alcatel equavalent commands for these Cisco ACL below. It should deny all other traffic which are not allow.
interface FastEthernet0/0
ip access-group 100 out
access-list 100 permit ip 172.23.0.0 0.0.0.255 10.10.10.0 0.0.0.255
interface FastEthernet0/1
ip access-group 101 in
access-list 101 permit tcp any host 192.168.1.100 eq ftp
Re: Cisco Access list to Alcatel QoS
Posted: 10 Sep 2012 07:56
by one6f
Hi,
attached are some samples to get started.
Here is a ftp example.
Re: Cisco Access list to Alcatel QoS
Posted: 11 Sep 2012 05:46
by kent2612
Hi one6f,
Still didn't managed to get it working as I was trying to allow only specific ip addresses that should be allow to pass through the switch. For example I will only allow 2 ip addresses in vlan 10 and 2 ip addresses in vlan 20 on the same switch.
Re: Cisco Access list to Alcatel QoS
Posted: 11 Sep 2012 07:11
by one6f
Here is an example.
Do you want to allow 2 ip addresses in vlan10 to communicate with 2 ip addresses in vlan 20 and any others do deny? For example 10.10.
10.11 and 10.10.
10.12 need to communicate with 10.10.
20.11 and 10.10.
20.12 and vice versa, but any others to these 4 ip addresses will be blocked except for default gateways??
Re: Cisco Access list to Alcatel QoS
Posted: 12 Sep 2012 08:24
by one6f
here is a sample to allow only 2 ip addresses in vlan 10 to communicate with vlan 20 (10.10.20.0/24) and deny all others:
Code: Select all
qos enable
policy network group vl10 10.10.10.11 10.10.10.12
policy network group vl20 10.10.20.0 mask 255.255.255.0
policy condition any_vl20 source ip Any destination network group vl20
policy condition vl10_vl20 source network group vl10 destination network group vl20
policy condition vl20_any source network group vl20 destination ip Any
policy condition vl20_vl10 source network group vl20 destination network group vl10
policy action allow
policy action deny disposition deny
policy rule vl20_vl10 precedence 130 condition vl20_vl10 action allow
policy rule vl10_vl20 precedence 120 condition vl10_vl20 action allow
policy rule any_vl20 precedence 110 condition any_vl20 action deny
policy rule vl20_any precedence 100 condition vl20_any action deny
qos apply
Re: Cisco Access list to Alcatel QoS
Posted: 12 Sep 2012 08:54
by kent2612
I have another requirement where 2 remote hosts 172.23.16.1 and 172.23.16.2 need to managed my switch (on another segment 192.168.1.1) via ssh and also manages my firewall connected to the switch(192.168.1.2) via https.
1) Can the ACL be apply on the incoming interface from Remote hosts to Switch (192.168.1.1) where only ssh and https is allow?
2) It should not affect other incoming and outgoing traffic on the switch.
Thanks in advanced as I am not sure how the ACL work whereby not affecting other traffic while still restrict hosts 172.23.16.1 & 172.23.16.2 access to the switch and firewall via only ssh & https service port.
Re: Cisco Access list to Alcatel QoS
Posted: 13 Sep 2012 08:49
by one6f
1) Can the ACL be apply on the incoming interface from Remote hosts to Switch (192.168.1.1) where only ssh and https is allow?
You can build ingress and egress rules, there are build-in policies such as
switch network group or policy Port Groups
Slot01,Slot02....
Please refer to Network Configuration Guide for details.
2) It should not affect other incoming and outgoing traffic on the switch.
?
please have a look at following example, where 172.23.16.2 is a management ip to access to 192.168.1.1 (is an ip interface on 6850) through ssh and 192.168.1.2 through http:
Code: Select all
qos enable
qos log console
policy service http source tcp port 80
policy service ssh destination tcp port 22
policy service group http_services http
policy service group ssh_services ssh
policy network group fw 192.168.1.2
policy network group switch 192.168.1.1
policy network group vl10 172.23.16.2
policy condition any_fw source ip Any destination network group fw
policy condition any_switch source ip Any destination network group switch
policy condition any_vl10 source ip Any destination network group vl10
policy condition fw_vl10_http source network group fw destination network group vl10 established
policy condition switch_vl10_ssh source network group switch destination network group vl10 established
policy condition vl10_fw_http source network group vl10 destination network group fw service group http_services
policy condition vl10_switch_ssh source network group vl10 destination network group switch service group ssh_services
policy action deny disposition deny
policy action permit
policy rule switch_vl10_ssh condition switch_vl10_ssh action permit log
policy rule vl10_switch_ssh condition vl10_switch_ssh action permit log
policy rule fw_vl10_http condition fw_vl10_http action permit log
policy rule vl10_fw_http condition vl10_fw_http action permit log
policy rule any_vl10 condition any_vl10 action deny log
policy rule any_switch condition any_switch action deny log
policy rule any_fw condition any_fw action deny log
qos apply
You can 'play' with it such you have the logging on the console (
qos log console) and you can see what is allowed and what is denied (
log-keyword in
policy rules)
Re: Cisco Access list to Alcatel QoS
Posted: 13 Sep 2012 10:26
by kent2612
2) It should not affect other incoming and outgoing traffic on the switch.
As the incoming port to the switch is not only use for management via ssh & http, in other words it is in-band management:
1) Therefore all other layer 2 or layer 3 traffic should still be able to route through the switch, traffic can still be routed out via the default route that was configured,
2) the switch should still be able to send logs to the syslog server and send snmp to the NMS, etc.....