From: Colin Barber (Colin.Barber@xxxxxxxxxxxxxx)
Date: Thu Jul 25 2002 - 11:08:49 GMT-3
What type of traffic are you trying to stop? If it's IPX you can do it with
an IPX access list as the mac address is part of the clients network.host
address. If it's IP then you could use your suggestion (until a client
changes it's ip address). However if you are trying to stop layer 2 traffic
a layer 3 access list is not going to work.
Colin
-----Original Message-----
From: Raj Bahad [mailto:raj.bahad@totalise.co.uk]
Sent: 25 July 2002 14:15
To: Krake, Kris; Colin Barber; Jaspreet Bhatia
Cc: ccielab
Subject: RE: dmac-output-list question
Guys,
I had a similar question posted a couple of weeks ago, but got no reply.
Essentially, reiterating what Kris stated, how would you achive the same
results without the use of a layer 2 filter?
I thought of looking at the ARP table and then undertake the task of
creating
an access-list specifiying IP addresses which map to their respective mac
addresses.
Would you agree, or is there another way of doing this without using a layer
2
filter?
Raj.
>===== Original Message From "Krake, Kris" <KKrake@aegonusa.com> =====
>I may be incorrect in this but I believe the initial thread indicated that
>you cannot use a layer 2 filter to accomplish this?
>
>KK
>
>-----Original Message-----
>From: Jaspreet Bhatia [mailto:jasbhati@cisco.com]
>Sent: Wednesday, July 24, 2002 6:36 PM
>To: Colin Barber
>Cc: ccielab@groupstudy.com
>Subject: RE: dmac-output-list question
>
>
>Colin,
> I think that you are right .The question is : r2 has a
>specific mac address range which should be allowed to
> >communicate with outside world and all other mac should be filtered.
>
>In this above case an input-address-range on the TR would do nicely
>
>I misinterpreted the question to say :
>
>Other hosts should only be allowed to reach this particular set of MAC
>addresses on R2 in which case you can do icanreach and mac-exclusive ..
>
>
>Thanks
>
>Jaspreet
>
>At 11:11 PM 7/24/2002 +0100, Colin Barber wrote:
>>Would you not need to specify mac-exclusive? Otherwise R1 will send
>>explorers to R2 for any mac addresses not listed in the icanreach.
>>
>>How about not restricting within DLSW and just using a input-address-list
>>filter on the lan interface?
>>
>>Colin
>>
>>-----Original Message-----
>>From: Jaspreet Bhatia [mailto:jasbhati@cisco.com]
>>Sent: 24 July 2002 18:53
>>To: atul pawar
>>Cc: ccielab@groupstudy.com
>>Subject: Re: dmac-output-list question
>>
>>
>>Hi Atul,
>> This concept is a bit confusing . This is how I
>>interpret it . R2 wants all other hosts to only reach a certain range of
>>MAC addresses on its network. If you use dmac output list on R1 it would
>>affect only R1 whereas if you put the icanreach mac-address with a mask
on
>>R2 , then R2 will advertise this to all other peers in its capabilities
>>exchange so all other peers will only send packets destined for those
>>range of MAC addresses to R@ .
>>
>>HTH
>>
>>Jaspreet
>>
>>At 05:26 PM 7/24/2002 +0000, atul pawar wrote:
>> >HI Guyes,
>> >I saw this example on the group earlier. I seem to confuse myself with
>> >this one. Please Consider the following
>> >
>> >r1-------peer---------r2
>> >and r2 has a specific mac address range which should be allowed to
>> >communicate with outside world and all other mac should be filtered.
>> >
>> >now if I put this dmac-output-list allowing this range in the remote
peer
>> >statement of r1 it will only pass those explorers which are for this mac
>> >address range.
>> >Or it should be on r2 so that it allows only these mac addresses out?
>> >Other way I can think of is dlsw icanreach mac-address on r2 and
>>mac-exclusive.
>> >can someone please clarify how to use 'dmac-output-list' as I'm not sure
>> >if my understanding is right .
>> >Many thanks For Your help
>> >Atul
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > Atul
>> >
>> >
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:43 GMT-3