Re: deploying layer-2 acl on routed interface(long story)

From: Bill jegcitroen (jegcitroen@hotmail.com)
Date: Tue Oct 22 2002 - 07:51:57 GMT-3

• Next message: Ron: "Re: Redundancy in Dial Peer"
• Previous message: Prio Utomo: "FRTS"
• Maybe in reply to: Bill jegcitroen: "deploying layer-2 acl on routed interface(long story)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi, Donny

thank u very much.

so it is no way to deny a source/destination mac address pair for the routed
interface, but we can deny a source mac address by setup a wrong static arp.
arp 172.1.36.3 1.1.1 arp e0
right? 8-)

-jegcitroen

>From: "Donny MATEO" <donny.mateo@sg.ca-indosuez.com>
>To: "Bill jegcitroen" <jegcitroen@hotmail.com>
>CC: ccielab@groupstudy.com, nobody@groupstudy.com
>Subject: Re: deploying layer-2 acl on routed interface(long story)
>Date: Tue, 22 Oct 2002 17:34:36 +0800
>
>
>router will always route the packet first before bridge the packet. The
>only exception is when you
>configure IRB. I don't know where in the line layer-2 acl is, but if it's
>routed, it's layer3 and
>it's not bridged so perhaps it won't be filtered in L2 level either.
>How bout trying to deploy it on a router with ip routing disabled... just a
>thought.
>
>Donny
>
>
>
> "Bill jegcitroen"
> <jegcitroen@hotma To:
>ccielab@groupstudy.com
> il.com> cc:
> Sent by: Subject: deploying layer-2
>acl on routed interface(long story)
> nobody@groupstudy
> .com
>
>
> 22-10-2002 16:39
> Please respond to
> "Bill jegcitroen"
>
>
>
>
>
>
>I wonder how i can use layer-2 mac acl to deny specified mac address.
>
>my scenario:
>
>r1-e0-------e0-r2
>
>I wanna stop receiving multicast 224.0.0.10.
>
>my config:
>
>R1:
>
>bridge irb
>
>//snip//
>
>interface Ethernet0
>no ip address
>bridge-group 1
>bridge-group 1 input-pattern-list 1100
>
>//snip//
>
>interface BVI1
>ip address 172.1.36.3 255.255.255.0
>
>//snip//
>
>router eigrp 111
>network 172.1.36.3 0.0.0.0
>no auto-summary
>no eigrp log-neighbor-changes
>
>bridge 1 protocol ieee
>bridge 1 route ip
>
>access-list 1100 deny 0010.7be8.5302 0000.0000.0000 0100.5e00.000a
>0000.0000.0000
>! 0010.7be8.5302 is R2's ethernet mac address
>
>access-list 1100 permit 0000.0000.0000 ffff.ffff.ffff 0000.0000.0000
>ffff.ffff.ffff
>
>#sh ip ei ne
>IP-EIGRP neighbors for process 111
>
>no eigrp neighbor is found, but u can ping them each other.
>---------------------------------------
>It DOES work.
>
>but if i remove the bvi interface, and depoly the acl on the routed L3 E0
>interface, it does not work.
>
>interface Ethernet0
>ip address 172.1.36.3 255.255.255.0
>bridge-group 1
>bridge-group 1 input-pattern-list 1100
>
>Does anyone know the solution w/o using bvi interface?
>
>
>thanx in advance
>
>-jegcitroen
>
>
>
>_________________________________________________________________
>Protect your PC - get McAfee.com VirusScan Online
>http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

• Next message: Ron: "Re: Redundancy in Dial Peer"
• Previous message: Prio Utomo: "FRTS"
• Maybe in reply to: Bill jegcitroen: "deploying layer-2 acl on routed interface(long story)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Nov 05 2002 - 08:35:53 GMT-3