RE: vlan map Permit IP

From: Volkov, Dmitry (IDS Canada) (dmitry_volkov@ca.ml.com)
Date: Sun Aug 10 2003 - 00:56:14 GMT-3

• Next message: asadovnikov: "RE: vlan map Permit IP"
• Previous message: asadovnikov: "RE: vlan map Permit IP"
• Maybe in reply to: Volkov, Dmitry (IDS Canada): "vlan map Permit IP"
• Next in thread: asadovnikov: "RE: vlan map Permit IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well, I read it:
http://127.0.0.1:8080/cc/td/doc/product/lan/c3550/12112cea/3550scg/swacl.htm
#xtocid5
You can configure VLAN maps to match Layer 3 addresses for IP traffic. All
non-IP protocols are access-controlled through MAC addresses and Ethertype
using MAC VLAN maps. (IP traffic is not access controlled by MAC VLAN maps.)

And this is obviously - there is no way to control IP traffic via Mac ACL in
detail (i.e. for example to filter tcp, etc.)
however I thought that IP traffic as class - i.e. IP protocol itself - can
be controlled by Ethertype 0x0800.... It seems to be logically ...

> -----Original Message-----
> From: asadovnikov [mailto:asadovnikov@comcast.net]
> Sent: Saturday, August 09, 2003 11:46 PM
> To: 'Volkov, Dmitry (IDS Canada)'; 'Mustafa M Bayramov'
> Cc: ccielab@groupstudy.com
> Subject: RE: vlan map Permit IP
>
>
> I think you nailed it. When only MAC access list is present
> in VLAN map IP
> will be forwarded. By design L2 mac access-lists would not
> stop IP, they
> are for non-IP traffic.
>
> Best regards,
> Alexei
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Volkov, Dmitry (IDS Canada)
> Sent: Saturday, August 09, 2003 10:39 PM
> To: 'Mustafa M Bayramov'
> Cc: ccielab@groupstudy.com
> Subject: RE: vlan map Permit IP
>
>
> Not sure that I understand You:
> 0x0 - should match everything, it's 0x0000
> 0x0800 0x0000 should mean exactly match 0x0800
> Do You mean 0x0 match only 1st Octet ??
> what is it ?? bug ?
> There is no option to match by bit...
> Its funny, when I left only:
> mac access-list extended vlan2mac
> deny any any 0x806 0x0
> deny any any 0x800 0x0
> IP still flows (because there is no match), I can ping from
> one host to
> another on the same Vlan/switch using static ARP on both ends !!!
> Again 0x806 0x0 works fine for ARP disable/enable. I checked
> with NETBEUI
> also. It's blocked
> but IP is not.
> So, what is proper VLAN MAP to allow only IP or deny only IP
> and what is
> the right match clause for IP in MAC ACL ???
> I'm really in doubt now if it's possible using only Mac access lists
> http://127.0.0.1:8080/cc/td/doc/product/lan/c3550/12112cea/355
> 0scg/swacl.htm
> #xtocid27
> If the VLAN map has at least one match clause for the type of
> packet (IP or
> MAC) and the packet does not match any of these match
> clauses, the default
> is to drop the packet. If there is no match clause for that
> type of packet
> in the VLAN map, the default is to forward the packet.
> Because I don't have match clause for IP packets (IP ACL
> inside Vlan Map) IP
> is forwarded.
>
> Dmitry
>
>
>
> > -----Original Message-----
> > From: Mustafa M Bayramov [mailto:spyroot@azeronline.com]
> > Sent: Saturday, August 09, 2003 7:03 PM
> > To: 'Volkov, Dmitry (IDS Canada)'; ccielab@groupstudy.com
> > Subject: RE: vlan map Permit IP
> >
> >
> > I think because 0x0 match only first octets if you are
> doing 0x806 0x0
> > -- you're permitting 0x80xx.
> > (I've tried to match by bit I couldn't archive this ).
> >
> > Mustafa M Bayramov
> >
> > CISSP
> > CCNP,CCDP,Cisco Security Specialist
> > Network engineer and security analyst
> >
> > "I know nothing except the fact of my ignorance." Socrates
> >
> > Regards
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of
> > Volkov, Dmitry (IDS Canada)
> > Sent: Saturday, August 09, 2003 12:25 PM
> > To: 'ccielab@groupstudy.com'
> > Subject: vlan map Permit IP
> >
> > Can somebody explain WHY does it work ?
> >
> > mac access-list extended vlan2mac
> > permit any any 0x806 0x0
> > !
> > vlan access-map vlan2 10
> > action forward
> > match mac address vlan2mac
> > vlan filter vlan2 vlan-list 2
> >
> > I mean - IP flows between ports in Vlan 2 without explicitly
> > permitting
> > Ethertype 0800 (IP) in mac access-list:
> > permit any any 0x800 0x0. Why ??
> > If I remove permitting ARP (806) and claer arp cache - ARP stops
> > working,
> > but IP is still working if I remove permit 0x0800
> >
> > Thanks,
> >
> > Dmitry
> >
> >
> > ______________________________________________________________
> > _________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: asadovnikov: "RE: vlan map Permit IP"
• Previous message: asadovnikov: "RE: vlan map Permit IP"
• Maybe in reply to: Volkov, Dmitry (IDS Canada): "vlan map Permit IP"
• Next in thread: asadovnikov: "RE: vlan map Permit IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:57 GMT-3