From: Donny MATEO (donny.mateo@sg.ca-indosuez.com)
Date: Tue Oct 22 2002 - 06:34:36 GMT-3
router will always route the packet first before bridge the packet. The only exception is when you
configure IRB. I don't know where in the line layer-2 acl is, but if it's routed, it's layer3 and
it's not bridged so perhaps it won't be filtered in L2 level either.
How bout trying to deploy it on a router with ip routing disabled... just a thought.
Donny
"Bill jegcitroen"
<jegcitroen@hotma To: ccielab@groupstudy.com
il.com> cc:
Sent by: Subject: deploying layer-2 acl on routed interface(long story)
nobody@groupstudy
.com
22-10-2002 16:39
Please respond to
"Bill jegcitroen"
I wonder how i can use layer-2 mac acl to deny specified mac address.
my scenario:
r1-e0-------e0-r2
I wanna stop receiving multicast 224.0.0.10.
my config:
R1:
bridge irb
//snip//
interface Ethernet0
no ip address
bridge-group 1
bridge-group 1 input-pattern-list 1100
//snip//
interface BVI1
ip address 172.1.36.3 255.255.255.0
//snip//
router eigrp 111
network 172.1.36.3 0.0.0.0
no auto-summary
no eigrp log-neighbor-changes
bridge 1 protocol ieee
bridge 1 route ip
access-list 1100 deny 0010.7be8.5302 0000.0000.0000 0100.5e00.000a
0000.0000.0000
! 0010.7be8.5302 is R2's ethernet mac address
access-list 1100 permit 0000.0000.0000 ffff.ffff.ffff 0000.0000.0000
ffff.ffff.ffff
#sh ip ei ne
IP-EIGRP neighbors for process 111
no eigrp neighbor is found, but u can ping them each other.
---------------------------------------
It DOES work.
but if i remove the bvi interface, and depoly the acl on the routed L3 E0
interface, it does not work.
interface Ethernet0
ip address 172.1.36.3 255.255.255.0
bridge-group 1
bridge-group 1 input-pattern-list 1100
Does anyone know the solution w/o using bvi interface?
thanx in advance
-jegcitroen
This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:53 GMT-3