RE: 3550 Layer 3 access-lists applied to layer 2 ports

From: R&S Groupstudy (rsg@synergy-networking.co.uk)
Date: Wed Apr 21 2004 - 11:22:37 GMT-3

• Next message: Marko Berend: "RE: CCIE Lab Grading"
• Previous message: Tim Last: "3550 Layer 3 access-lists applied to layer 2 ports"
• Maybe in reply to: Tim Last: "3550 Layer 3 access-lists applied to layer 2 ports"
• Next in thread: Kenneth Wygand: "RE: 3550 Layer 3 access-lists applied to layer 2 ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Tim.

I had a play with the a while back.
It works, but I found you need to put an access-group statement on all
interfaces, otherwise a deny any any rule seamed to be applied to every
other interface. I think this was a bug.

For example if you wanted to apply access-list 101 to fast0/1, I had to also
apply access-list 102 to all other interfaces, where access-list 102 =
permit ip any any

As far as how the switch achieves this function, I imagine it looks as the
L3 header. It is L3 aware after all. The switch will perform it's switching
function at L2, but it now has the ability to drop frames based on L3
information.

I do not think you need to configure any other switching parameter,.

I think this is a great feature, and it is superb for filtering at L2 and L3
simultaneously

Adam

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Tim Last
Sent: 21 April 2004 15:06
To: Group Study
Subject: 3550 Layer 3 access-lists applied to layer 2 ports

Hi all,

The 3550 documentation seems to imply that it's OK to apply an access-list
which looks at layer 3 or higher layer info inside the frame ( for example,
mark all ip pkts from ip addr x with ip prec y) and apply it to layer 2 port
( vs a routed port).

1) Am I interpreting the documentation correctly ie there's no problem with
doing that?

2) If that's OK, how does that work? Isn't it true that Ethernet switches,
in general, only look at MAC headers and based on mac addresses make their
switching decision?

3) Are there any restrictions or limitations in doing this? Can I create
any access-list that would work on a routed interface, apply it to 3550
layer 2 port and expect that it will work?

4) For this to work, do I need to configure anything on the 3550 in addition
to the commands that create the access-list and apply it to port? For
example, mls qos?

Maybe someone can explain what's going on here.

Thanks in advance, Tim

---------------------------------
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25"

• Next message: Marko Berend: "RE: CCIE Lab Grading"
• Previous message: Tim Last: "3550 Layer 3 access-lists applied to layer 2 ports"
• Maybe in reply to: Tim Last: "3550 Layer 3 access-lists applied to layer 2 ports"
• Next in thread: Kenneth Wygand: "RE: 3550 Layer 3 access-lists applied to layer 2 ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:51 GMT-3