From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Aug 10 2004 - 18:58:55 GMT-3
Jeez, I guess I'm still thinking from old ACRC course.
OK, IPX ether type is 8137 and 8138, so would this ether type acl be correct
for the 3550?
mac access-list extended NO-IPX
deny any any 0x8137 0x0001
Am I getting warm?
Thanks, Tim
----- Original Message -----
From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study" <ccielab@groupstudy.com>
Sent: Tuesday, August 10, 2004 5:33 PM
Subject: RE: vlan-map filters
> What is the Ether-Type value for IPX?
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie2be
> > Sent: Tuesday, August 10, 2004 4:17 PM
> > To: Brian McGahan; Group Study
> > Subject: Re: vlan-map filters
> >
> > Brian,
> >
> > Is there a way to explicitly deny IPX traffic on a 3550? I thought
> the
> > 3550
> > only supports IP and mac address acl's. Am I mistaken?
> >
> > Thanks,
> > ----- Original Message -----
> > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> <ccielab@groupstudy.com>
> > Sent: Tuesday, August 10, 2004 2:41 PM
> > Subject: RE: vlan-map filters
> >
> >
> > Tim,
> >
> > This type of question is really beyond the scope of the lab
> > exam, as I highly doubt they want you to remember the LSAP values of
> the
> > different protocols. Instead, this task is meant to be a slap on the
> > wrist to show you how NOT to configure VACLs :)
> >
> > Normal ACL filtering dictates that you permit only what you
> > want, and deny everything else. When using VACLs, you should deny
> what
> > you don't want, and permit everything else. Otherwise you tend to
> > forget all the necessary layer 2 protocols that are keeping the
> network
> > alive.
> >
> >
> > HTH,
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > ccie2be
> > > Sent: Tuesday, August 10, 2004 10:38 AM
> > > To: Group Study
> > > Subject: vlan-map filters
> > >
> > > Hi guys,
> > >
> > > From IE lab 11, task 1.16 and 1.17
> > >
> > > Problem:
> > >
> > > Allow only ip traffic on vlan 56, however, if other behind the
> scenes
> > > traffic
> > > is NOT allowed, there'll be big trouble in Cisco lab city.
> > >
> > >
> > > Solution:
> > >
> > > ip access-list extended IPONLY
> > > permit ip any any
> > > !
> > > mac access-list extended IP_ARP
> > > permit any any 0x806 0x0 < --- Can this found on Doc
> > CD?
> > >
> > > mac access-list extended IS-IS
> > > permit any any lsap 0xFEFE 0x0 < ---- Can this found on Doc CD?
> > >
> > > mac access-list extended IEEE-STP
> > > permit any any lsap 0x4242 0x0 < ---- Can this found on Doc
> > CD?
> > > !
> > > vlan access-map IPONLY 10
> > > action forward
> > > match ip address IPONLY
> > >
> > > vlan access-map IPONLY 20
> > > action forward
> > > match mac address IP_ARP
> > >
> > > vlan access-map IPONLY 30
> > > action forward
> > > match mac address IS-IS
> > >
> > > vlan access-map IPONLY 40
> > > action forward
> > > match mac address IEEE-STP
> > >
> > > vlan access-map IPONLY 50
> > > action drop
> > > vlan filter IPONLY vlan-list 56
> > >
> > > vlan filter IPONLY vlan-list 56
> > >
> > > Question: Does anybody know where on the Doc-CD the codes used
> match
> > > these
> > > traffic types can be found? I've looked but came up empty.
> > >
> > > Also, cdp traffic will be dropped by the above vlan filter. Is that
> a
> > > good
> > > idea?
> > >
> > > Thanks, Tim
> > >
> > >
> >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> > from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:40 GMT-3