RE: vlan-map filters to deny IPX traffic

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Wed Aug 11 2004 - 01:21:11 GMT-3

• Next message: marc van hoof: "frame-relay encapsulation"
• Previous message: john matijevic: "RE: CCIE PRACTICE LABS (cisco press) lab1"
• Maybe in reply to: Brian McGahan: "RE: vlan-map filters to deny IPX traffic"
• Next in thread: Brian McGahan: "RE: vlan-map filters to deny IPX traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tim,

        You mean you don't remember the good ol' days of IPX routing? :)

R1(config)#ipx routing 1.1.1
R1(config)#int s0/0
R1(config-if)#encap frame
R1(config-if)#ipx network 1
R1(config-if)#no shut
Router(config-if)#end
Router#debug frame-relay packet
Frame Relay packet debugging is on
Router#
Router#show fram map
Serial0/0 (up): ipx 1.0002.0002.0002 dlci 102(0xC9,0x3090), dynamic,
              broadcast,, status defined, active
Router#ping ipx 1.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte IPX Novell Echoes to 1.0002.0002.0002, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
Router#
*Mar 1 09:00:22.048: Serial0/0(o): dlci 102(0x1861), pkt type
0x8137(NOVELL), datagramsize 104
*Mar 1 09:00:22.052: Serial0/0(i): dlci 102(0x1861), pkt type 0x8137,
datagramsize 104

        Based on this you can see that the LSAP is 0x8137. Your filter
is correct. You would want to deny 0x8137 and 0x8138, and permit
everything else. However, I would recommend that you keep the permit or
deny logic in the VLAN access-map, not in the access-list, like below:

mac access-list extended NO-IPX
 permit any any 0x8137 0x0001
!
Vlan access-map NO-IPX 10
 Match mac address NO-IPX
 Action drop
!
Vlan access-map NO-IPX 20
 Action forward

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Tuesday, August 10, 2004 8:19 PM
> To: Group Study; Brian McGahan
> Subject: Re: vlan-map filters to deny IPX traffic
>
> I'd like to except I don't have access to any 3550's until my next
rack
> rental date which isn't until August 24.
>
> But, maybe you could tell me what would happen if I tested this.
Also, to
> really test this wouldn't I need some source of IPX traffic? Or, is
there
> a
> way to test this without having a source of IPX traffic?
>
> BTW, I found a listing of ethertypes at the link Marvin Greenlee
posted a
> bit earlier:
>
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/cnfg_nts/tok
en
> /4158_02.htm#10845
>
> This listing is accurate, isn't it?
>
> Thanks
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
> Sent: Tuesday, August 10, 2004 8:47 PM
> Subject: RE: vlan-map filters to deny IPX traffic
>
>
> > Did you test it? :)
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > ccie2be
> > > Sent: Tuesday, August 10, 2004 4:59 PM
> > > To: Brian McGahan; Group Study
> > > Subject: Re: vlan-map filters to deny IPX traffic
> > >
> > > Jeez, I guess I'm still thinking from old ACRC course.
> > >
> > > OK, IPX ether type is 8137 and 8138, so would this ether type acl
be
> > > correct
> > > for the 3550?
> > >
> > > mac access-list extended NO-IPX
> > > deny any any 0x8137 0x0001
> > >
> > > Am I getting warm?
> > >
> > > Thanks, Tim
> > >
> > >
> > > ----- Original Message -----
> > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > <ccielab@groupstudy.com>
> > > Sent: Tuesday, August 10, 2004 5:33 PM
> > > Subject: RE: vlan-map filters
> > >
> > >
> > > > What is the Ether-Type value for IPX?
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > bmcgahan@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987 x 705
> > > > Outside US: 775-826-4344 x 705
> > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf
> > > > Of
> > > > > ccie2be
> > > > > Sent: Tuesday, August 10, 2004 4:17 PM
> > > > > To: Brian McGahan; Group Study
> > > > > Subject: Re: vlan-map filters
> > > > >
> > > > > Brian,
> > > > >
> > > > > Is there a way to explicitly deny IPX traffic on a 3550? I
> > thought
> > > > the
> > > > > 3550
> > > > > only supports IP and mac address acl's. Am I mistaken?
> > > > >
> > > > > Thanks,
> > > > > ----- Original Message -----
> > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > <ccielab@groupstudy.com>
> > > > > Sent: Tuesday, August 10, 2004 2:41 PM
> > > > > Subject: RE: vlan-map filters
> > > > >
> > > > >
> > > > > Tim,
> > > > >
> > > > > This type of question is really beyond the scope of the lab
> > > > > exam, as I highly doubt they want you to remember the LSAP
values
> > of
> > > > the
> > > > > different protocols. Instead, this task is meant to be a slap
on
> > the
> > > > > wrist to show you how NOT to configure VACLs :)
> > > > >
> > > > > Normal ACL filtering dictates that you permit only what you
> > > > > want, and deny everything else. When using VACLs, you should
deny
> > > > what
> > > > > you don't want, and permit everything else. Otherwise you
tend to
> > > > > forget all the necessary layer 2 protocols that are keeping
the
> > > > network
> > > > > alive.
> > > > >
> > > > >
> > > > > HTH,
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987 x 705
> > > > > Outside US: 775-826-4344 x 705
> > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
On
> > Behalf
> > > > > Of
> > > > > > ccie2be
> > > > > > Sent: Tuesday, August 10, 2004 10:38 AM
> > > > > > To: Group Study
> > > > > > Subject: vlan-map filters
> > > > > >
> > > > > > Hi guys,
> > > > > >
> > > > > > From IE lab 11, task 1.16 and 1.17
> > > > > >
> > > > > > Problem:
> > > > > >
> > > > > > Allow only ip traffic on vlan 56, however, if other behind
the
> > > > scenes
> > > > > > traffic
> > > > > > is NOT allowed, there'll be big trouble in Cisco lab city.
> > > > > >
> > > > > >
> > > > > > Solution:
> > > > > >
> > > > > > ip access-list extended IPONLY
> > > > > > permit ip any any
> > > > > > !
> > > > > > mac access-list extended IP_ARP
> > > > > > permit any any 0x806 0x0 < --- Can this
found on
> > Doc
> > > > > CD?
> > > > > >
> > > > > > mac access-list extended IS-IS
> > > > > > permit any any lsap 0xFEFE 0x0 < ---- Can this found on
Doc
> > CD?
> > > > > >
> > > > > > mac access-list extended IEEE-STP
> > > > > > permit any any lsap 0x4242 0x0 < ---- Can this found
on
> > Doc
> > > > > CD?
> > > > > > !
> > > > > > vlan access-map IPONLY 10
> > > > > > action forward
> > > > > > match ip address IPONLY
> > > > > >
> > > > > > vlan access-map IPONLY 20
> > > > > > action forward
> > > > > > match mac address IP_ARP
> > > > > >
> > > > > > vlan access-map IPONLY 30
> > > > > > action forward
> > > > > > match mac address IS-IS
> > > > > >
> > > > > > vlan access-map IPONLY 40
> > > > > > action forward
> > > > > > match mac address IEEE-STP
> > > > > >
> > > > > > vlan access-map IPONLY 50
> > > > > > action drop
> > > > > > vlan filter IPONLY vlan-list 56
> > > > > >
> > > > > > vlan filter IPONLY vlan-list 56
> > > > > >
> > > > > > Question: Does anybody know where on the Doc-CD the codes
used
> > > > match
> > > > > > these
> > > > > > traffic types can be found? I've looked but came up empty.
> > > > > >
> > > > > > Also, cdp traffic will be dropped by the above vlan filter.
Is
> > that
> > > > a
> > > > > > good
> > > > > > idea?
> > > > > >
> > > > > > Thanks, Tim
> > > > > >
> > > > > >
> > > > >
> > > >
> >

• Next message: marc van hoof: "frame-relay encapsulation"
• Previous message: john matijevic: "RE: CCIE PRACTICE LABS (cisco press) lab1"
• Maybe in reply to: Brian McGahan: "RE: vlan-map filters to deny IPX traffic"
• Next in thread: Brian McGahan: "RE: vlan-map filters to deny IPX traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:41 GMT-3