Re: Mac and IP Vlan Maps on 3550!

From: Arifur Rahman (arahman@cisco.com)
Date: Sun Apr 18 2004 - 16:41:26 GMT-3

• Next message: Scott Morris: "RE: What wrong with my NSAP Format"
• Previous message: Richard Dumoulin: "RE: What wrong with my NSAP Format"
• Maybe in reply to: Hossam: "Mac and IP Vlan Maps on 3550!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Hossam
thank you for your reply. I can ping continuously without any problem. I
pinged for more than 10min. Any idea/guess from where your 3min limit is
coming from. Here is my IOS version

s4#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(14)EA1, RELEASE
SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Tue 22-Jul-03 12:47 by antonino
Image text-base: 0x00003000, data-base: 0x007E6484

ROM: Bootstrap program is C3550 boot loader

s4 uptime is 15 hours, 54 minutes
System returned to ROM by power-on
System image file is "flash:c3550-i5q3l2-mz.121-14.EA1.bin"

Do you know how can I test vlan filter stuff?

thank you - Arif

At 09:21 AM 4/18/2004 -0700, Hossam wrote:
>Hi Rahman,
>What you are having is perfectly alligened with the documentations.
>As MAC vlan maps should not affect IP traffic at all. What IOS version are
>u using on the 3550?
>Can u monitor this for 3 mins of continous pinging. My IOS version works
>as documented for 2 mins and then it stops forwarding IP traffic as well.
>
>I wish u can check and get back to me with yr IOS ver.
>Thanks
>Sam
>
>Arifur Rahman <arahman@cisco.com> wrote:
>Hi Group
>I am having some issue, may my understanding is wrong. My question does
>vlan-map restrict ip packet like icmp or not? I have following configuration
>
>r1: 0030.7179.381d
>r2: 0090.b127.d01d
>r3: 0003.31df.ec1d
>
>mac access-list extended MACL
>permit host 0030.7179.381d host 0090.b127.d01d
>mac access-list extended MACL1
>permit any any
>!
>!
>vlan access-map first 10
>action drop
>match mac address MACL
>vlan access-map first 20
>action forward
>match mac address MACL1
>vlan filter first vlan-list 10
>
>when I apply MACL to layer 2 interface ( and without vlan filter first
>vlan-list 10) I can only ping from r1 to r2, as expected. But when I apply
>vlan filter first vlan-list 10, I can ping from any host to any host, Is
>this expected?
>
>thank you - Arif
>
>
>
>
>At 10:48 AM 4/16/2004 -0700, Hossam wrote:
> >Guys, i sent this three days earlier but i got no response. I am still
> >stuck with it.
> >
> >With only one new observation. The new thing is that i noticed that the
> >switch acts as expected (Filtering non-ip traffic only and allowing ip
> >traffic) for arround 1 minute then it start the strange behavious of
> >stopping both ip and non-ip traffic.
> >Any help would be so appriciated.
> >SAM
> >
> >First mail:
> >Group,
> >Based on the following section in the configuration guide (Netwok
> >security with Access list for 3550) IOS ver. 12.1(19)EA1c :
> >
> >"If the VLAN map has at least one match clause for the type of packet
> >(IP or MAC) and the packet does not match any of these match clauses,
> >the default is to drop the packet. If there is no match clause for that
> >type of packet in the VLAN map, the default is to forward the packet."
> >
> >found at:
> >http://www.cisco.com/en/US/products/hw/switches/ps646/products_configurat
> ion_guide_chapter09186a00801cdf53.html#1177303
> >
> >My understanding was that 3550 has to different types of traffics, IP
> >traffic and non ip one. Moreover, Mac Vlans maps only affects non ip
> >traffic, and IP vlans maps only affects IP traffic.
> >
> >But when i try to restrict a station with (MAC address 1) from
> >accessing the network using mac vlan on my 3550 (the same version as
> >mentioned
> >above), i notice that the IP traffic from this end station (MAC address
> >1) is restricted as well!!
> >
> >Is that ok? is the problem with my understanding or the documentation,
> >or my configurations as shown below.
> >
> >Configurations:
> >mac access-list extended MacList2
> > permit host 0005.5d8d.c1d4 any
> >mac access-list extended MacList3
> > permit any any
> >!
> >!
> >vlan access-map VMap 10
> > action drop
> > match mac address MacList2
> >vlan access-map VMap 20
> > action forward
> > match mac address MacList3
> >vlan filter VMap vlan-list 1
> >!
> >
> >Thanks,
> >SAM
> >
> >
> >
> >---------------------------------
> >Do you Yahoo!?
> >Yahoo! Tax Center - File online by April 15th
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>---------------------------------
>Do you Yahoo!?
>Yahoo! Photos: High-quality 4x6 digital prints for 25"
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: What wrong with my NSAP Format"
• Previous message: Richard Dumoulin: "RE: What wrong with my NSAP Format"
• Maybe in reply to: Hossam: "Mac and IP Vlan Maps on 3550!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:49 GMT-3