From: damien (damien@xxxxxxxxxxx)
Date: Sun Aug 06 2000 - 14:20:36 GMT-3
you can only filter on Layer using Bridging...as you probably know. If you
filter on the MAC and permit every other MAC using Bridging, thats fine as
long as you have somewhere to Bridge to..............which you won't. You
are looking to have Bridging on the point-to-point link between the two
Routers and Route on the other Interfaces. This then starts to sound like
IRB...........You would have to find out specifically how the Platform
handles Bridging and Routing when used with MAC filters, if you can that is
!
So when your update reaches the BVI Interface, the MAC in Question is
denied, and the rest of the MAC's are routed through the destination
Interfaces...........why are you doing this, or is it one of those scenarios
thats just too long to put in mail.. :~)
----- Original Message -----
From: "JZ" <jzhang0427a@yahoo.com>
To: <ccielab@groupstudy.com>
Sent: Friday, August 04, 2000 12:40 AM
Subject: thanks, but prove or disprove it !
> !
> Thanks for all those replied to my scenario and I has been
> working on this issue since last Fri. and still couldn't
> get it done. Or maybe it needs to prove that it's
> impossible to do that.
> !
> Following is what I did and please find out what's wrong
> (if any)
> !
> Here is the situation:
>
> .1 10.1.1.0/24 .2 (ospf)
> e0: R1 s0: ------------------ s0: R2 e0:
> !
> running any IP routing protocol (ospf, rip ...)
> having full ip connection. How can I block the routing
> updates sent from R2 by configuring a Mac address
> level filter on R1 only -- no layer 3 filtering are
> allowed ?
> !
> R1:
> int E0
> ip add 10.1.1.1/24
> bridge-grp 1
> bridge-grp 1 input-address-list 700
> (or input-pttern-list 700, access-exp in
> smac(700)..
> bridge 1 proto ieee
> access-list 700 deny 0.0.0 f.f.f (i.e. deny "any" )
> !
> I even tired to create an BVI1 and enter" bridge IRB" with
> and without IP address, but no help at all. both routers
> can form ospf neighbor and ping each other.
> !
> I searched the cisco web and couldn't find any clue. Maybe
> we should prove that based on this topoloy, it's
> impossible to filter out packet by using L2 mac filter
> only.
>
> Thanks in advance and have a good weekend !
>
> Hei Ke
> Thur.
> NYC
>
> --- "DERY, FREDERIC" <frederic.dery@connexim.ca> wrote:
> > These kind of filter can only be used on bridged
> > interface, for bridged
> > protocol.
> >
> > IP will not be checked against your access-expression.
> >
> > Frederic
> >
> > ke Hei wrote:
> > >
> > > Here is the situation:
> > >
> > > e0: R1 s0: ----- s0: R2 e0:
> > > running any IP routing protocol (ospf, rip ...)
> > > having full ip connection. How can I block the routing
> > > updates sent from R2 by configuring a Mac address
> > > level filter on R1 only -- no layer 3 filtering are
> > > allowed ?
> > >
> > > I had tried by using following commands on R1:
> > > !
> > > int s0
> > > ip add ...
> > > Access-expression IN ( Dmac(700)|Smac(700))
> > > !
> > > Access-list 700 permit <mac_add_of_R2_e0>
> > > !
> > > It seems to be not working and both routers still be
> > > able pinging each other.
> > >
> > > I couldn't find more info. on layer 2 address
> > > filtering
> > > from cisco CD and web.
> > >
> > > Thanks in advance for any hints.
> > >
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:24:21 GMT-3