From: asadovnikov (asadovnikov@comcast.net)
Date: Sun Aug 10 2003 - 02:56:22 GMT-3
I agree with your logic. Apparently some developer back at Cisco did not,
and it was him not you or me who got to right the code.
Documentation apparently says "IP traffic is not access controlled by MAC
VLAN maps." And I think that exactly what they did. IP traffic is not
controlled by MAC VLAN maps, not even as class.
I think it is wrong but I see it as a 'feature' not a 'bug' (although it
does smell Microsoft) :)
Best regards,
Alexei
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Volkov, Dmitry (IDS Canada)
Sent: Saturday, August 09, 2003 11:56 PM
To: 'asadovnikov@comcast.net'; 'Mustafa M Bayramov'
Cc: ccielab@groupstudy.com
Subject: RE: vlan map Permit IP
Well, I read it:
http://127.0.0.1:8080/cc/td/doc/product/lan/c3550/12112cea/3550scg/swacl.htm
#xtocid5
You can configure VLAN maps to match Layer 3 addresses for IP traffic. All
non-IP protocols are access-controlled through MAC addresses and Ethertype
using MAC VLAN maps. (IP traffic is not access controlled by MAC VLAN maps.)
And this is obviously - there is no way to control IP traffic via Mac ACL in
detail (i.e. for example to filter tcp, etc.)
however I thought that IP traffic as class - i.e. IP protocol itself - can
be controlled by Ethertype 0x0800.... It seems to be logically ...
> -----Original Message-----
> From: asadovnikov [mailto:asadovnikov@comcast.net]
> Sent: Saturday, August 09, 2003 11:46 PM
> To: 'Volkov, Dmitry (IDS Canada)'; 'Mustafa M Bayramov'
> Cc: ccielab@groupstudy.com
> Subject: RE: vlan map Permit IP
>
>
> I think you nailed it. When only MAC access list is present
> in VLAN map IP
> will be forwarded. By design L2 mac access-lists would not
> stop IP, they
> are for non-IP traffic.
>
> Best regards,
> Alexei
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Volkov, Dmitry (IDS Canada)
> Sent: Saturday, August 09, 2003 10:39 PM
> To: 'Mustafa M Bayramov'
> Cc: ccielab@groupstudy.com
> Subject: RE: vlan map Permit IP
>
>
> Not sure that I understand You:
> 0x0 - should match everything, it's 0x0000
> 0x0800 0x0000 should mean exactly match 0x0800
> Do You mean 0x0 match only 1st Octet ??
> what is it ?? bug ?
> There is no option to match by bit...
> Its funny, when I left only:
> mac access-list extended vlan2mac
> deny any any 0x806 0x0
> deny any any 0x800 0x0
> IP still flows (because there is no match), I can ping from
> one host to
> another on the same Vlan/switch using static ARP on both ends !!!
> Again 0x806 0x0 works fine for ARP disable/enable. I checked
> with NETBEUI
> also. It's blocked
> but IP is not.
> So, what is proper VLAN MAP to allow only IP or deny only IP
> and what is
> the right match clause for IP in MAC ACL ???
> I'm really in doubt now if it's possible using only Mac access lists
> http://127.0.0.1:8080/cc/td/doc/product/lan/c3550/12112cea/355
> 0scg/swacl.htm
> #xtocid27
> If the VLAN map has at least one match clause for the type of
> packet (IP or
> MAC) and the packet does not match any of these match
> clauses, the default
> is to drop the packet. If there is no match clause for that
> type of packet
> in the VLAN map, the default is to forward the packet.
> Because I don't have match clause for IP packets (IP ACL
> inside Vlan Map) IP
> is forwarded.
>
> Dmitry
>
>
>
> > -----Original Message-----
> > From: Mustafa M Bayramov [mailto:spyroot@azeronline.com]
> > Sent: Saturday, August 09, 2003 7:03 PM
> > To: 'Volkov, Dmitry (IDS Canada)'; ccielab@groupstudy.com
> > Subject: RE: vlan map Permit IP
> >
> >
> > I think because 0x0 match only first octets if you are
> doing 0x806 0x0
> > -- you're permitting 0x80xx.
> > (I've tried to match by bit I couldn't archive this ).
> >
> > Mustafa M Bayramov
> >
> > CISSP
> > CCNP,CCDP,Cisco Security Specialist
> > Network engineer and security analyst
> >
> > "I know nothing except the fact of my ignorance." Socrates
> >
> > Regards
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of
> > Volkov, Dmitry (IDS Canada)
> > Sent: Saturday, August 09, 2003 12:25 PM
> > To: 'ccielab@groupstudy.com'
> > Subject: vlan map Permit IP
> >
> > Can somebody explain WHY does it work ?
> >
> > mac access-list extended vlan2mac
> > permit any any 0x806 0x0
> > !
> > vlan access-map vlan2 10
> > action forward
> > match mac address vlan2mac
> > vlan filter vlan2 vlan-list 2
> >
> > I mean - IP flows between ports in Vlan 2 without explicitly
> > permitting
> > Ethertype 0800 (IP) in mac access-list:
> > permit any any 0x800 0x0. Why ??
> > If I remove permitting ARP (806) and claer arp cache - ARP stops
> > working,
> > but IP is still working if I remove permit 0x0800
> >
> > Thanks,
> >
> > Dmitry
> >
> >
> > ______________________________________________________________
> > _________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> ______________________________________________________________
> _________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:57 GMT-3