RE: vlan map Permit IP

From: Volkov, Dmitry (IDS Canada) (dmitry_volkov@ca.ml.com)
Date: Sat Aug 09 2003 - 23:38:51 GMT-3

• Next message: asadovnikov: "RE: vlan map Permit IP"
• Previous message: Scott Morris: "RE: DLSW - syntax placement"
• Maybe in reply to: Volkov, Dmitry (IDS Canada): "vlan map Permit IP"
• Next in thread: asadovnikov: "RE: vlan map Permit IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Not sure that I understand You:
0x0 - should match everything, it's 0x0000
0x0800 0x0000 should mean exactly match 0x0800
Do You mean 0x0 match only 1st Octet ??
what is it ?? bug ?
There is no option to match by bit...
Its funny, when I left only:
mac access-list extended vlan2mac
 deny any any 0x806 0x0
 deny any any 0x800 0x0
IP still flows (because there is no match), I can ping from one host to
another on the same Vlan/switch using static ARP on both ends !!!
Again 0x806 0x0 works fine for ARP disable/enable. I checked with NETBEUI
also. It's blocked
but IP is not.
So, what is proper VLAN MAP to allow only IP or deny only IP and what is
the right match clause for IP in MAC ACL ???
I'm really in doubt now if it's possible using only Mac access lists
http://127.0.0.1:8080/cc/td/doc/product/lan/c3550/12112cea/3550scg/swacl.htm
#xtocid27
If the VLAN map has at least one match clause for the type of packet (IP or
MAC) and the packet does not match any of these match clauses, the default
is to drop the packet. If there is no match clause for that type of packet
in the VLAN map, the default is to forward the packet.
Because I don't have match clause for IP packets (IP ACL inside Vlan Map) IP
is forwarded.

Dmitry

> -----Original Message-----
> From: Mustafa M Bayramov [mailto:spyroot@azeronline.com]
> Sent: Saturday, August 09, 2003 7:03 PM
> To: 'Volkov, Dmitry (IDS Canada)'; ccielab@groupstudy.com
> Subject: RE: vlan map Permit IP
>
>
> I think because 0x0 match only first octets if you are doing 0x806 0x0
> -- you're permitting 0x80xx.
> (I've tried to match by bit I couldn't archive this ).
>
> Mustafa M Bayramov
>
> CISSP
> CCNP,CCDP,Cisco Security Specialist
> Network engineer and security analyst
>
> "I know nothing except the fact of my ignorance." Socrates
>
> Regards
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of
> Volkov, Dmitry (IDS Canada)
> Sent: Saturday, August 09, 2003 12:25 PM
> To: 'ccielab@groupstudy.com'
> Subject: vlan map Permit IP
>
> Can somebody explain WHY does it work ?
>
> mac access-list extended vlan2mac
> permit any any 0x806 0x0
> !
> vlan access-map vlan2 10
> action forward
> match mac address vlan2mac
> vlan filter vlan2 vlan-list 2
>
> I mean - IP flows between ports in Vlan 2 without explicitly
> permitting
> Ethertype 0800 (IP) in mac access-list:
> permit any any 0x800 0x0. Why ??
> If I remove permitting ARP (806) and claer arp cache - ARP stops
> working,
> but IP is still working if I remove permit 0x0800
>
> Thanks,
>
> Dmitry
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: asadovnikov: "RE: vlan map Permit IP"
• Previous message: Scott Morris: "RE: DLSW - syntax placement"
• Maybe in reply to: Volkov, Dmitry (IDS Canada): "vlan map Permit IP"
• Next in thread: asadovnikov: "RE: vlan map Permit IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:57 GMT-3