From: Hank Leung (hank1979@xxxxxxxxxxx)
Date: Fri Aug 04 2000 - 05:11:45 GMT-3
>From the CD: (and it works)
access-list 700 deny 0800.2000.0000 0000.00FF.FFFF
access-list 700 permit 0000.0000.0000 FFFF.FFFF.FFFF
interface ethernet 1
bridge-group 1 input-address-list 700
... also Layer 2 commands won't work on a BVI.
Hank
http://127.0.0.1:8080/cc/td/doc/product/software/ios120/12cgcr/ibm_r/brprt1/brt
b.htm#xtocid1833585
>From: JZ <jzhang0427a@yahoo.com>
>Reply-To: JZ <jzhang0427a@yahoo.com>
>To: ccielab@groupstudy.com
>Subject: thanks, but prove or disprove it !
>Date: Thu, 3 Aug 2000 17:40:47 -0700 (PDT)
>
>!
>Thanks for all those replied to my scenario and I has been
>working on this issue since last Fri. and still couldn't
>get it done. Or maybe it needs to prove that it's
>impossible to do that.
>!
>Following is what I did and please find out what's wrong
>(if any)
>!
>Here is the situation:
>
> .1 10.1.1.0/24 .2 (ospf)
> e0: R1 s0: ------------------ s0: R2 e0:
>!
>running any IP routing protocol (ospf, rip ...)
>having full ip connection. How can I block the routing
>updates sent from R2 by configuring a Mac address
>level filter on R1 only -- no layer 3 filtering are
>allowed ?
>!
>R1:
> int E0
> ip add 10.1.1.1/24
> bridge-grp 1
> bridge-grp 1 input-address-list 700
> (or input-pttern-list 700, access-exp in
>smac(700)..
> bridge 1 proto ieee
> access-list 700 deny 0.0.0 f.f.f (i.e. deny "any" )
>!
>I even tired to create an BVI1 and enter" bridge IRB" with
>and without IP address, but no help at all. both routers
>can form ospf neighbor and ping each other.
>!
>I searched the cisco web and couldn't find any clue. Maybe
>we should prove that based on this topoloy, it's
>impossible to filter out packet by using L2 mac filter
>only.
>
>Thanks in advance and have a good weekend !
>
>Hei Ke
>Thur.
>NYC
>
>--- "DERY, FREDERIC" <frederic.dery@connexim.ca> wrote:
> > These kind of filter can only be used on bridged
> > interface, for bridged
> > protocol.
> >
> > IP will not be checked against your access-expression.
> >
> > Frederic
> >
> > ke Hei wrote:
> > >
> > > Here is the situation:
> > >
> > > e0: R1 s0: ----- s0: R2 e0:
> > > running any IP routing protocol (ospf, rip ...)
> > > having full ip connection. How can I block the routing
> > > updates sent from R2 by configuring a Mac address
> > > level filter on R1 only -- no layer 3 filtering are
> > > allowed ?
> > >
> > > I had tried by using following commands on R1:
> > > !
> > > int s0
> > > ip add ...
> > > Access-expression IN ( Dmac(700)|Smac(700))
> > > !
> > > Access-list 700 permit <mac_add_of_R2_e0>
> > > !
> > > It seems to be not working and both routers still be
> > > able pinging each other.
> > >
> > > I couldn't find more info. on layer 2 address
> > > filtering
> > > from cisco CD and web.
> > >
> > > Thanks in advance for any hints.
> > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:21 GMT-3