Re: vlan-map filters

From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Aug 10 2004 - 18:16:55 GMT-3

• Next message: ccie2be: "Re: Regarding "ip pim nbma-mode""
• Previous message: Wang Dehong-DWANG1: "RE: ISIS 12.2T command"
• Maybe in reply to: ccie2be: "vlan-map filters"
• Next in thread: Brian McGahan: "RE: vlan-map filters"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Brian,

Is there a way to explicitly deny IPX traffic on a 3550? I thought the 3550
only supports IP and mac address acl's. Am I mistaken?

Thanks,
----- Original Message -----
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Tuesday, August 10, 2004 2:41 PM
Subject: RE: vlan-map filters

Tim,

This type of question is really beyond the scope of the lab
exam, as I highly doubt they want you to remember the LSAP values of the
different protocols. Instead, this task is meant to be a slap on the
wrist to show you how NOT to configure VACLs :)

Normal ACL filtering dictates that you permit only what you
want, and deny everything else. When using VACLs, you should deny what
you don't want, and permit everything else. Otherwise you tend to
forget all the necessary layer 2 protocols that are keeping the network
alive.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Tuesday, August 10, 2004 10:38 AM
> To: Group Study
> Subject: vlan-map filters
>
> Hi guys,
>
> From IE lab 11, task 1.16 and 1.17
>
> Problem:
>
> Allow only ip traffic on vlan 56, however, if other behind the scenes
> traffic
> is NOT allowed, there'll be big trouble in Cisco lab city.
>
>
> Solution:
>
> ip access-list extended IPONLY
> permit ip any any
> !
> mac access-list extended IP_ARP
> permit any any 0x806 0x0 < --- Can this found on Doc
CD?
>
> mac access-list extended IS-IS
> permit any any lsap 0xFEFE 0x0 < ---- Can this found on Doc CD?
>
> mac access-list extended IEEE-STP
> permit any any lsap 0x4242 0x0 < ---- Can this found on Doc
CD?
> !
> vlan access-map IPONLY 10
> action forward
> match ip address IPONLY
>
> vlan access-map IPONLY 20
> action forward
> match mac address IP_ARP
>
> vlan access-map IPONLY 30
> action forward
> match mac address IS-IS
>
> vlan access-map IPONLY 40
> action forward
> match mac address IEEE-STP
>
> vlan access-map IPONLY 50
> action drop
> vlan filter IPONLY vlan-list 56
>
> vlan filter IPONLY vlan-list 56
>
> Question: Does anybody know where on the Doc-CD the codes used match
> these
> traffic types can be found? I've looked but came up empty.
>
> Also, cdp traffic will be dropped by the above vlan filter. Is that a
> good
> idea?
>
> Thanks, Tim
>
>

• Next message: ccie2be: "Re: Regarding "ip pim nbma-mode""
• Previous message: Wang Dehong-DWANG1: "RE: ISIS 12.2T command"
• Maybe in reply to: ccie2be: "vlan-map filters"
• Next in thread: Brian McGahan: "RE: vlan-map filters"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:40 GMT-3