thanks, but prove or disprove it !

From: JZ (jzhang0427a@xxxxxxxxx)
Date: Thu Aug 03 2000 - 21:35:31 GMT-3

• Next message: pkm@xxxxxxxxxx: "Re: pix"
• Previous message: Derek Small: "Re: pix"
• Next in thread: damien: "Re: thanks, but prove or disprove it !"
• Maybe reply: damien: "Re: thanks, but prove or disprove it !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
!
Thanks for all those replied to my scenario and I has been
working on this issue since last Fri. and still couldn't
get it done. Or maybe it needs to prove that it's
impossible to do that.
!
Following is what I did and please find out what's wrong
(if any)
!
Here is the situation:

          .1 10.1.1.0/24 .2 (ospf)
   e0: R1 s0: ------------------ s0: R2 e0:
!
running any IP routing protocol (ospf, rip ...)
having full ip connection. How can I block the routing
updates sent from R2 by configuring a Mac address
level filter on R1 only -- no layer 3 filtering are
allowed ?
!
R1:
   int E0
     ip add 10.1.1.1/24
     bridge-grp 1
     bridge-grp 1 input-address-list 700
       (or input-pttern-list 700, access-exp in
smac(700)..
   bridge 1 proto ieee
   access-list 700 deny 0.0.0 f.f.f (i.e. deny "any" )
!
I even tired to create an BVI1 and enter" bridge IRB" with
and without IP address, but no help at all. both routers
can form ospf neighbor and ping each other.
!
I searched the cisco web and couldn't find any clue. Maybe
we should prove that based on this topoloy, it's
impossible to filter out packet by using L2 mac filter
only.

Thanks in advance and have a good weekend !

Hei Ke
Thur.
NYC

--- "DERY, FREDERIC" <frederic.dery@connexim.ca> wrote:
> These kind of filter can only be used on bridged
> interface, for bridged
> protocol.
>
> IP will not be checked against your access-expression.
>
> Frederic
>
> ke Hei wrote:
> >
> > Here is the situation:
> >
> > e0: R1 s0: ----- s0: R2 e0:
> > running any IP routing protocol (ospf, rip ...)
> > having full ip connection. How can I block the routing
> > updates sent from R2 by configuring a Mac address
> > level filter on R1 only -- no layer 3 filtering are
> > allowed ?
> >
> > I had tried by using following commands on R1:
> > !
> > int s0
> > ip add ...
> > Access-expression IN ( Dmac(700)|Smac(700))
> > !
> > Access-list 700 permit <mac_add_of_R2_e0>
> > !
> > It seems to be not working and both routers still be
> > able pinging each other.
> >
> > I couldn't find more info. on layer 2 address
> > filtering
> > from cisco CD and web.
> >
> > Thanks in advance for any hints.
> >

• Next message: pkm@xxxxxxxxxx: "Re: pix"
• Previous message: Derek Small: "Re: pix"
• Next in thread: damien: "Re: thanks, but prove or disprove it !"
• Maybe reply: damien: "Re: thanks, but prove or disprove it !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:20 GMT-3