From: Mustafa M Bayramov (spyroot@azeronline.com)
Date: Sat Aug 09 2003 - 20:03:25 GMT-3
I think because 0x0 match only first octets if you are doing 0x806 0x0
-- you're permitting 0x80xx.
(I've tried to match by bit I couldn't archive this ).
Mustafa M Bayramov
CISSP
CCNP,CCDP,Cisco Security Specialist
Network engineer and security analyst
"I know nothing except the fact of my ignorance." Socrates
Regards
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Volkov, Dmitry (IDS Canada)
Sent: Saturday, August 09, 2003 12:25 PM
To: 'ccielab@groupstudy.com'
Subject: vlan map Permit IP
Can somebody explain WHY does it work ?
mac access-list extended vlan2mac
permit any any 0x806 0x0
!
vlan access-map vlan2 10
action forward
match mac address vlan2mac
vlan filter vlan2 vlan-list 2
I mean - IP flows between ports in Vlan 2 without explicitly permitting
Ethertype 0800 (IP) in mac access-list:
permit any any 0x800 0x0. Why ??
If I remove permitting ARP (806) and claer arp cache - ARP stops
working,
but IP is still working if I remove permit 0x0800
Thanks,
Dmitry
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:56 GMT-3