From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Tue Aug 10 2004 - 21:47:53 GMT-3
Did you test it? :)
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Tuesday, August 10, 2004 4:59 PM
> To: Brian McGahan; Group Study
> Subject: Re: vlan-map filters to deny IPX traffic
>
> Jeez, I guess I'm still thinking from old ACRC course.
>
> OK, IPX ether type is 8137 and 8138, so would this ether type acl be
> correct
> for the 3550?
>
> mac access-list extended NO-IPX
> deny any any 0x8137 0x0001
>
> Am I getting warm?
>
> Thanks, Tim
>
>
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
> Sent: Tuesday, August 10, 2004 5:33 PM
> Subject: RE: vlan-map filters
>
>
> > What is the Ether-Type value for IPX?
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > ccie2be
> > > Sent: Tuesday, August 10, 2004 4:17 PM
> > > To: Brian McGahan; Group Study
> > > Subject: Re: vlan-map filters
> > >
> > > Brian,
> > >
> > > Is there a way to explicitly deny IPX traffic on a 3550? I
thought
> > the
> > > 3550
> > > only supports IP and mac address acl's. Am I mistaken?
> > >
> > > Thanks,
> > > ----- Original Message -----
> > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > <ccielab@groupstudy.com>
> > > Sent: Tuesday, August 10, 2004 2:41 PM
> > > Subject: RE: vlan-map filters
> > >
> > >
> > > Tim,
> > >
> > > This type of question is really beyond the scope of the lab
> > > exam, as I highly doubt they want you to remember the LSAP values
of
> > the
> > > different protocols. Instead, this task is meant to be a slap on
the
> > > wrist to show you how NOT to configure VACLs :)
> > >
> > > Normal ACL filtering dictates that you permit only what you
> > > want, and deny everything else. When using VACLs, you should deny
> > what
> > > you don't want, and permit everything else. Otherwise you tend to
> > > forget all the necessary layer 2 protocols that are keeping the
> > network
> > > alive.
> > >
> > >
> > > HTH,
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987 x 705
> > > Outside US: 775-826-4344 x 705
> > > 24/7 Support: http://forum.internetworkexpert.com
> > > Live Chat: http://www.internetworkexpert.com/chat/
> > >
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > > Of
> > > > ccie2be
> > > > Sent: Tuesday, August 10, 2004 10:38 AM
> > > > To: Group Study
> > > > Subject: vlan-map filters
> > > >
> > > > Hi guys,
> > > >
> > > > From IE lab 11, task 1.16 and 1.17
> > > >
> > > > Problem:
> > > >
> > > > Allow only ip traffic on vlan 56, however, if other behind the
> > scenes
> > > > traffic
> > > > is NOT allowed, there'll be big trouble in Cisco lab city.
> > > >
> > > >
> > > > Solution:
> > > >
> > > > ip access-list extended IPONLY
> > > > permit ip any any
> > > > !
> > > > mac access-list extended IP_ARP
> > > > permit any any 0x806 0x0 < --- Can this found on
Doc
> > > CD?
> > > >
> > > > mac access-list extended IS-IS
> > > > permit any any lsap 0xFEFE 0x0 < ---- Can this found on Doc
CD?
> > > >
> > > > mac access-list extended IEEE-STP
> > > > permit any any lsap 0x4242 0x0 < ---- Can this found on
Doc
> > > CD?
> > > > !
> > > > vlan access-map IPONLY 10
> > > > action forward
> > > > match ip address IPONLY
> > > >
> > > > vlan access-map IPONLY 20
> > > > action forward
> > > > match mac address IP_ARP
> > > >
> > > > vlan access-map IPONLY 30
> > > > action forward
> > > > match mac address IS-IS
> > > >
> > > > vlan access-map IPONLY 40
> > > > action forward
> > > > match mac address IEEE-STP
> > > >
> > > > vlan access-map IPONLY 50
> > > > action drop
> > > > vlan filter IPONLY vlan-list 56
> > > >
> > > > vlan filter IPONLY vlan-list 56
> > > >
> > > > Question: Does anybody know where on the Doc-CD the codes used
> > match
> > > > these
> > > > traffic types can be found? I've looked but came up empty.
> > > >
> > > > Also, cdp traffic will be dropped by the above vlan filter. Is
that
> > a
> > > > good
> > > > idea?
> > > >
> > > > Thanks, Tim
> > > >
> > > >
> > >
> >
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:40 GMT-3