From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Aug 11 2004 - 00:02:26 GMT-3
Hey Larry,
1) Use a vlan map filter (see 1st post below).
2) Apply vlan map filter to vlan with "vlan filter <name of vlan map filter>
vlan-list <vlan #>".
I think the ultimate way to test this is to have multiple devices connected
to ports assigned the same vlan # where at least 2 devices are running ipx
( a router can simulate an ipx device by doing a ipx ping) and 2 other
devices are just running ip.
Before applying filter, make sure vlan successfully passes all traffic - ip
and ipx.
Then apply filter and make sure that ipx traffic is blocked while ip traffic
still passes.
I would also see, if possible, if the ethertype can be determined from doing
a debug ipx packets (or some similar command - I don't know if there's
actually a debug ipx packet command but guess there is or something
similar).
If that's possible, that could come in handy one day. Although, since ipx
is no longer included in lab, this type of thing probably wouldn't show up
in the lab except possibly in the security portion.
HTH, Tim
----- Original Message -----
From: "Larry Metzger" <larrymetzger@sbcglobal.net>
To: "'Group Study'" <ccielab@groupstudy.com>
Sent: Tuesday, August 10, 2004 10:31 PM
Subject: RE: vlan-map filters to deny IPX traffic
> I setup the filter and configured my computer for IPX/SPX. What command
> is needed to see the switch blocking traffic?
>
> Larry
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Tuesday, August 10, 2004 6:19 PM
> To: Group Study; Brian McGahan
> Subject: Re: vlan-map filters to deny IPX traffic
>
> I'd like to except I don't have access to any 3550's until my next rack
> rental date which isn't until August 24.
>
> But, maybe you could tell me what would happen if I tested this. Also,
> to
> really test this wouldn't I need some source of IPX traffic? Or, is
> there a
> way to test this without having a source of IPX traffic?
>
> BTW, I found a listing of ethertypes at the link Marvin Greenlee posted
> a
> bit earlier:
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/cnfg_nts/tok
> en/4158_02.htm#10845
>
> This listing is accurate, isn't it?
>
> Thanks
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> <ccielab@groupstudy.com>
> Sent: Tuesday, August 10, 2004 8:47 PM
> Subject: RE: vlan-map filters to deny IPX traffic
>
>
> > Did you test it? :)
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > ccie2be
> > > Sent: Tuesday, August 10, 2004 4:59 PM
> > > To: Brian McGahan; Group Study
> > > Subject: Re: vlan-map filters to deny IPX traffic
> > >
> > > Jeez, I guess I'm still thinking from old ACRC course.
> > >
> > > OK, IPX ether type is 8137 and 8138, so would this ether type acl be
> > > correct
> > > for the 3550?
> > >
> > > mac access-list extended NO-IPX
> > > deny any any 0x8137 0x0001
> > >
> > > Am I getting warm?
> > >
> > > Thanks, Tim
> > >
> > >
> > > ----- Original Message -----
> > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > <ccielab@groupstudy.com>
> > > Sent: Tuesday, August 10, 2004 5:33 PM
> > > Subject: RE: vlan-map filters
> > >
> > >
> > > > What is the Ether-Type value for IPX?
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > bmcgahan@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987 x 705
> > > > Outside US: 775-826-4344 x 705
> > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf
> > > > Of
> > > > > ccie2be
> > > > > Sent: Tuesday, August 10, 2004 4:17 PM
> > > > > To: Brian McGahan; Group Study
> > > > > Subject: Re: vlan-map filters
> > > > >
> > > > > Brian,
> > > > >
> > > > > Is there a way to explicitly deny IPX traffic on a 3550? I
> > thought
> > > > the
> > > > > 3550
> > > > > only supports IP and mac address acl's. Am I mistaken?
> > > > >
> > > > > Thanks,
> > > > > ----- Original Message -----
> > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > <ccielab@groupstudy.com>
> > > > > Sent: Tuesday, August 10, 2004 2:41 PM
> > > > > Subject: RE: vlan-map filters
> > > > >
> > > > >
> > > > > Tim,
> > > > >
> > > > > This type of question is really beyond the scope of the lab
> > > > > exam, as I highly doubt they want you to remember the LSAP
> values
> > of
> > > > the
> > > > > different protocols. Instead, this task is meant to be a slap
> on
> > the
> > > > > wrist to show you how NOT to configure VACLs :)
> > > > >
> > > > > Normal ACL filtering dictates that you permit only what you
> > > > > want, and deny everything else. When using VACLs, you should
> deny
> > > > what
> > > > > you don't want, and permit everything else. Otherwise you tend
> to
> > > > > forget all the necessary layer 2 protocols that are keeping the
> > > > network
> > > > > alive.
> > > > >
> > > > >
> > > > > HTH,
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987 x 705
> > > > > Outside US: 775-826-4344 x 705
> > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf
> > > > > Of
> > > > > > ccie2be
> > > > > > Sent: Tuesday, August 10, 2004 10:38 AM
> > > > > > To: Group Study
> > > > > > Subject: vlan-map filters
> > > > > >
> > > > > > Hi guys,
> > > > > >
> > > > > > From IE lab 11, task 1.16 and 1.17
> > > > > >
> > > > > > Problem:
> > > > > >
> > > > > > Allow only ip traffic on vlan 56, however, if other behind the
> > > > scenes
> > > > > > traffic
> > > > > > is NOT allowed, there'll be big trouble in Cisco lab city.
> > > > > >
> > > > > >
> > > > > > Solution:
> > > > > >
> > > > > > ip access-list extended IPONLY
> > > > > > permit ip any any
> > > > > > !
> > > > > > mac access-list extended IP_ARP
> > > > > > permit any any 0x806 0x0 < --- Can this found
> on
> > Doc
> > > > > CD?
> > > > > >
> > > > > > mac access-list extended IS-IS
> > > > > > permit any any lsap 0xFEFE 0x0 < ---- Can this found on
> Doc
> > CD?
> > > > > >
> > > > > > mac access-list extended IEEE-STP
> > > > > > permit any any lsap 0x4242 0x0 < ---- Can this found
> on
> > Doc
> > > > > CD?
> > > > > > !
> > > > > > vlan access-map IPONLY 10
> > > > > > action forward
> > > > > > match ip address IPONLY
> > > > > >
> > > > > > vlan access-map IPONLY 20
> > > > > > action forward
> > > > > > match mac address IP_ARP
> > > > > >
> > > > > > vlan access-map IPONLY 30
> > > > > > action forward
> > > > > > match mac address IS-IS
> > > > > >
> > > > > > vlan access-map IPONLY 40
> > > > > > action forward
> > > > > > match mac address IEEE-STP
> > > > > >
> > > > > > vlan access-map IPONLY 50
> > > > > > action drop
> > > > > > vlan filter IPONLY vlan-list 56
> > > > > >
> > > > > > vlan filter IPONLY vlan-list 56
> > > > > >
> > > > > > Question: Does anybody know where on the Doc-CD the codes
> used
> > > > match
> > > > > > these
> > > > > > traffic types can be found? I've looked but came up empty.
> > > > > >
> > > > > > Also, cdp traffic will be dropped by the above vlan filter.
> Is
> > that
> > > > a
> > > > > > good
> > > > > > idea?
> > > > > >
> > > > > > Thanks, Tim
> > > > > >
> > > > > >
> > > > >
> > > >
> >
> _______________________________________________________________________
> > > > > > Please help support GroupStudy by purchasing your study
> > materials
> > > > > from:
> > > > > > http://shop.groupstudy.com
> > > > > >
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > >
> >
> _______________________________________________________________________
> > > > > Please help support GroupStudy by purchasing your study
> materials
> > > > from:
> > > > > http://shop.groupstudy.com
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> >
> _______________________________________________________________________
> > > > Please help support GroupStudy by purchasing your study materials
> > from:
> > > > http://shop.groupstudy.com
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> > from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:41 GMT-3