From: P729 (p729@cox.net)
Date: Mon Feb 17 2003 - 20:29:41 GMT-3
Try to ping something that requires the traffic from the router to go
through the SVI to another network and note the results. Then try using a
MAC ACL on the interface facing the router instead of a VLAN ACL and repeat
the two tests and see what happens...
Regards,
Mas Kato
https://ecardfile.com/id/mkato
----- Original Message -----
From: "Umair Hoodbhoy" <umair@cisco.com>
To: <ccielab@groupstudy.com>
Sent: Sunday, February 16, 2003 10:47 PM
Subject: Playing with vlan access-maps
Hi all,
I'm experimenting with vlan access-maps and am trying something very
basic, I think. I plug in a router with a known MAC address into a port
of a Cat3550. On the switch I have an extended access-list (heymac) that
matches the router's MAC address (0009.7c74.9191) and I have a vlan
access-map (macintush) that is supposed to drop anything that matches
the extended access-list. To complete the linkage, I'm applying the vlan
access-map to filter on the VLAN (3) that router is in.
My test is to ping the SVI (int vlan3) on the switch from the router.
I'm expecting the pings to fail because the router's MAC address is
supposedly blocked. But the pings are still going through. Relevant
output is below. What could be the problem? Is my test flawed?
TIA,
-- Umair
Switch#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.2 - 000a.8aac.c580 ARPA Vlan3
Internet 10.10.10.1 66 0009.7c74.9191 ARPA Vlan3
Switch#sh vlan access-map
Vlan access-map "macintush" 10
Match clauses:
mac address: heymac
Action:
drop
Switch#sh access-lists heymac
Extended MAC access list heymac
permit host 0009.7c74.9191 any
permit any host 0009.7c74.9191
Switch#sh vlan filter
VLAN Map macintush is filtering VLANs:
3
Switch#sh run int fa0/4
Building configuration...
Current configuration : 74 bytes
!
interface FastEthernet0/4
switchport access vlan 3
no ip address
end
Switch#sh run int vlan3
Building configuration...
Current configuration : 60 bytes
!
interface Vlan3
ip address 10.10.10.2 255.255.255.0
end
Router#sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port
ID
Switch Fas 1/0 81 S I WS-C3550-2Fas
0/4
Router#sh run int fa1/0
Building configuration...
Current configuration : 95 bytes
!
interface FastEthernet1/0
ip address 10.10.10.1 255.255.255.0
end
Router#pi 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:25 GMT-3