Well, since each access list can have max. 20 entries, and since you need - at least one permit rule for your admins, maybe one more for monitoring purposes etc., - one "permit all" at the end, this leaves 18 rules in the best case to deny traffic. Now, for each interface/ip that you have you need 3 rules (port 22, 23, 80), provided you don't have any secondary adresses on that interface. This means if you have more than 18/3=6 vlans configured, it seems to me you're out of luck with access lists....
> > i think you're stuck with using acls. > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > [email protected] > Sent: Wednesday, August 24, 2011 12:20 PM > To: Enterasys Customer Mailing List > Subject: RE: [enterasys] Mgmt Traffic G3 > > Ok, but: > defining the MgmtVLAN in the router is not very secure. > We would like to access the MgmtVLAN (route it) through our firewall > only. > If you make it a router interface you can't prevent anyone from e.g. > directly connected networks to access the Mgmt address without > configuring complicated ACLs or using source routing or whatever. > It would just be nice to have some kind of "virtual" out-of-band > management without any hassle... > >> Hi, >> >> As far as i know you can't use layer 2 ip address (host IP) when >> routing features is in use, so the management address should be an >> interface vlan instead of the "set ip address". > --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
