From: Church, Chuck (cchurch@wamnetgov.com)
Date: Wed Apr 21 2004 - 11:57:24 GMT-3
I think they're done in the ASICs. In fact, the 2950 EMIs can do layer
3 ACLs. Even though they can't forward based on L3.
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Wam!Net Government Services - Design & Implementation Team
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnetgov.com
PGP key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=cchurch%40wamnetgov.
com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Kenneth Wygand
Sent: Wednesday, April 21, 2004 10:45 AM
To: R&S Groupstudy; Tim Last; Group Study
Subject: RE: 3550 Layer 3 access-lists applied to layer 2 ports
I would assume this would add additional overhead since switches
normally make their forwarding decision without considering the layer-3
header. I'd assume this layer-3 lookup could be cef switched by the
3550, but I'm not too sure.
Kenneth E. Wygand
Systems Engineer, Project Services
CISSP #37102, CCNP, CCDP, ACSP, Cisco IPT Design Specialist, MCP, CNA,
Network+, A+
Custom Computer Specialists, Inc.
"The only unattainable goal is the one not attempted."
-Anonymous
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
R&S Groupstudy
Sent: Wednesday, April 21, 2004 10:23 AM
To: Tim Last; Group Study
Subject: RE: 3550 Layer 3 access-lists applied to layer 2 ports
Hi Tim.
I had a play with the a while back.
It works, but I found you need to put an access-group statement on all
interfaces, otherwise a deny any any rule seamed to be applied to every
other interface. I think this was a bug.
For example if you wanted to apply access-list 101 to fast0/1, I had to
also apply access-list 102 to all other interfaces, where access-list
102 = permit ip any any
As far as how the switch achieves this function, I imagine it looks as
the
L3 header. It is L3 aware after all. The switch will perform it's
switching function at L2, but it now has the ability to drop frames
based on L3 information.
I do not think you need to configure any other switching parameter,.
I think this is a great feature, and it is superb for filtering at L2
and L3 simultaneously
Adam
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Tim Last
Sent: 21 April 2004 15:06
To: Group Study
Subject: 3550 Layer 3 access-lists applied to layer 2 ports
Hi all,
The 3550 documentation seems to imply that it's OK to apply an
access-list which looks at layer 3 or higher layer info inside the frame
( for example, mark all ip pkts from ip addr x with ip prec y) and apply
it to layer 2 port ( vs a routed port).
1) Am I interpreting the documentation correctly ie there's no problem
with doing that?
2) If that's OK, how does that work? Isn't it true that Ethernet
switches, in general, only look at MAC headers and based on mac
addresses make their switching decision?
3) Are there any restrictions or limitations in doing this? Can I
create any access-list that would work on a routed interface, apply it
to 3550 layer 2 port and expect that it will work?
4) For this to work, do I need to configure anything on the 3550 in
addition to the commands that create the access-list and apply it to
port? For example, mls qos?
Maybe someone can explain what's going on here.
Thanks in advance, Tim
---------------------------------
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25"
This archive was generated by hypermail 2.1.4 : Mon May 03 2004 - 19:48:51 GMT-3