Re: Mac and IP Vlan Maps on 3550!

From: Arifur Rahman (arahman@cisco.com)
Date: Sat Apr 17 2004 - 22:53:54 GMT-3

• Next message: William Lijewski: "RE: Can you have the "ip ospf demand-circuit" in both sides of"
• Previous message: Jason Mai: "IDS4215 Example"
• Maybe in reply to: Hossam: "Mac and IP Vlan Maps on 3550!"
• Next in thread: Hossam: "Re: Mac and IP Vlan Maps on 3550!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Group
I am having some issue, may my understanding is wrong. My question does
vlan-map restrict ip packet like icmp or not? I have following configuration

r1: 0030.7179.381d
r2: 0090.b127.d01d
r3: 0003.31df.ec1d

mac access-list extended MACL
  permit host 0030.7179.381d host 0090.b127.d01d
mac access-list extended MACL1
  permit any any
!
!
vlan access-map first 10
  action drop
  match mac address MACL
vlan access-map first 20
  action forward
  match mac address MACL1
vlan filter first vlan-list 10

when I apply MACL to layer 2 interface ( and without vlan filter first
vlan-list 10) I can only ping from r1 to r2, as expected. But when I apply
vlan filter first vlan-list 10, I can ping from any host to any host, Is
this expected?

thank you - Arif

At 10:48 AM 4/16/2004 -0700, Hossam wrote:
>Guys, i sent this three days earlier but i got no response. I am still
>stuck with it.
>
>With only one new observation. The new thing is that i noticed that the
>switch acts as expected (Filtering non-ip traffic only and allowing ip
>traffic) for arround 1 minute then it start the strange behavious of
>stopping both ip and non-ip traffic.
>Any help would be so appriciated.
>SAM
>
>First mail:
>Group,
>Based on the following section in the configuration guide (Netwok
>security with Access list for 3550) IOS ver. 12.1(19)EA1c :
>
>"If the VLAN map has at least one match clause for the type of packet
>(IP or MAC) and the packet does not match any of these match clauses,
>the default is to drop the packet. If there is no match clause for that
>type of packet in the VLAN map, the default is to forward the packet."
>
>found at:
>http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf53.html#1177303
>
>My understanding was that 3550 has to different types of traffics, IP
>traffic and non ip one. Moreover, Mac Vlans maps only affects non ip
>traffic, and IP vlans maps only affects IP traffic.
>
>But when i try to restrict a station with (MAC address 1) from
>accessing the network using mac vlan on my 3550 (the same version as
>mentioned
>above), i notice that the IP traffic from this end station (MAC address
>1) is restricted as well!!
>
>Is that ok? is the problem with my understanding or the documentation,
>or my configurations as shown below.
>
>Configurations:
>mac access-list extended MacList2
> permit host 0005.5d8d.c1d4 any
>mac access-list extended MacList3
> permit any any
>!
>!
>vlan access-map VMap 10
> action drop
> match mac address MacList2
>vlan access-map VMap 20
> action forward
> match mac address MacList3
>vlan filter VMap vlan-list 1
>!
>
>Thanks,
>SAM
>
>
>
>---------------------------------
>Do you Yahoo!?
>Yahoo! Tax Center - File online by April 15th
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: William Lijewski: "RE: Can you have the "ip ospf demand-circuit" in both sides of"
• Previous message: Jason Mai: "IDS4215 Example"
• Maybe in reply to: Hossam: "Mac and IP Vlan Maps on 3550!"
• Next in thread: Hossam: "Re: Mac and IP Vlan Maps on 3550!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:49 GMT-3