3550-SMI ACL's

Hi,

I have a couple of 3550's routing between VLAN's perfectly. Now I need to
add some ACL's to the VLAN interfaces, but read that the SMI cannot apply
normal ACL's and I will need to upgrade to EMI for this.

Do I have an alternative in order to secure VLANs from one another (just
basic stuff like blocking NetBios traffic and only allowing www, tcp ports
through etc.)

Thanks,
Jo

 

Jo,
Not really about this post, I was just wondering about your post last month
about the inter VLAN routing. Which suggestion(s) solved the problem?

As for ACL, I know it supports IP and MAC ACLs, not sure about protocols. I
would tend to think not, because it's supposed to be a Layer 2 switch. Then
again it does accept an IP ACL. Might as well give it a try, it's not going
to affect operation as long as the ACL isn't applied anywhere.
"access-list 111 deny udp any and eq 137" or "ip access-list 111 deny udp
any and eq 137"

 

Hi,

Yeah I have got it all working fine now. It seems that the SMI image doesnt
have an access-group command to bind the access-list to an interface. SMI
does support vlan maps though which are used with access-lists. (look in the
3550 config guide on how to do it) The downside with this is that this map
works on traffic in both directions (unlike an access-list that can be
applied to an interface in or out) so you just have to allow control inbound
and outbound access in the same access-list.

As for inter-VLAN routing, if i remember correctly i didnt include the ip
routing statement to turn it on, as it seems its not on by default

Now I have 2 3550's routing between VLANs running HSRP with interface
tracking, so if one switch should fail it continues to route seemlesly.

HTH