RE: vlan-map filters to deny IPX traffic

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Wed Aug 11 2004 - 11:12:02 GMT-3

• Next message: Stefano Lassi: "Permanent debugging configuration"
• Previous message: Xue Fei: "Re: RE: what's the difference between DN and line of Cisco IP"
• Maybe in reply to: Brian McGahan: "RE: vlan-map filters to deny IPX traffic"
• Next in thread: Larry Metzger: "RE: vlan-map filters to deny IPX traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tim,

        It's not really "simulating" IPX traffic, it is IPX traffic.
Like when you ping IP from a router, is it real IP? ;) So yes you could
ping via IPX, enable some IPX routing protocols, do an IPX trace, etc.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Wednesday, August 11, 2004 6:04 AM
> To: Brian McGahan; Group Study
> Subject: Re: vlan-map filters to deny IPX traffic
>
> Brian,
>
> Thank you.
>
> That debug confirmed one of the ethertypes for IPX, pkt type 0x8137,
but
> not 0x8138. I guess I need to know (or just assume) that these
ethertypes
> work in pairs, right?
>
> OK, So, now that the ethertype is confirmed, how can I verify ** IN
THE
> REAL LAB ** that the vlan map & acl were correctly configured? Would
I
> need
> devices running IPX or could I just simulate IPX devices with ipx
pings?
>
> Tim
>
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
<ccielab@groupstudy.com>
> Sent: Wednesday, August 11, 2004 12:21 AM
> Subject: RE: vlan-map filters to deny IPX traffic
>
>
> Tim,
>
> You mean you don't remember the good ol' days of IPX routing? :)
>
> R1(config)#ipx routing 1.1.1
> R1(config)#int s0/0
> R1(config-if)#encap frame
> R1(config-if)#ipx network 1
> R1(config-if)#no shut
> Router(config-if)#end
> Router#debug frame-relay packet
> Frame Relay packet debugging is on
> Router#
> Router#show fram map
> Serial0/0 (up): ipx 1.0002.0002.0002 dlci 102(0xC9,0x3090), dynamic,
> broadcast,, status defined, active
> Router#ping ipx 1.2.2.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte IPX Novell Echoes to 1.0002.0002.0002, timeout is
2
> seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
> Router#
> *Mar 1 09:00:22.048: Serial0/0(o): dlci 102(0x1861), pkt type
> 0x8137(NOVELL), datagramsize 104
> *Mar 1 09:00:22.052: Serial0/0(i): dlci 102(0x1861), pkt type 0x8137,
> datagramsize 104
>
> Based on this you can see that the LSAP is 0x8137. Your filter
> is correct. You would want to deny 0x8137 and 0x8138, and permit
> everything else. However, I would recommend that you keep the permit
or
> deny logic in the VLAN access-map, not in the access-list, like below:
>
> mac access-list extended NO-IPX
> permit any any 0x8137 0x0001
> !
> Vlan access-map NO-IPX 10
> Match mac address NO-IPX
> Action drop
> !
> Vlan access-map NO-IPX 20
> Action forward
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
>
> > -----Original Message-----
> > From: ccie2be [mailto:ccie2be@nyc.rr.com]
> > Sent: Tuesday, August 10, 2004 8:19 PM
> > To: Group Study; Brian McGahan
> > Subject: Re: vlan-map filters to deny IPX traffic
> >
> > I'd like to except I don't have access to any 3550's until my next
> rack
> > rental date which isn't until August 24.
> >
> > But, maybe you could tell me what would happen if I tested this.
> Also, to
> > really test this wouldn't I need some source of IPX traffic? Or, is
> there
> > a
> > way to test this without having a source of IPX traffic?
> >
> > BTW, I found a listing of ethertypes at the link Marvin Greenlee
> posted a
> > bit earlier:
> >
> >
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/cnfg_nts/tok
> en
> > /4158_02.htm#10845
> >
> > This listing is accurate, isn't it?
> >
> > Thanks
> > ----- Original Message -----
> > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> <ccielab@groupstudy.com>
> > Sent: Tuesday, August 10, 2004 8:47 PM
> > Subject: RE: vlan-map filters to deny IPX traffic
> >
> >
> > > Did you test it? :)
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987 x 705
> > > Outside US: 775-826-4344 x 705
> > > 24/7 Support: http://forum.internetworkexpert.com
> > > Live Chat: http://www.internetworkexpert.com/chat/
> > >
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > Of
> > > > ccie2be
> > > > Sent: Tuesday, August 10, 2004 4:59 PM
> > > > To: Brian McGahan; Group Study
> > > > Subject: Re: vlan-map filters to deny IPX traffic
> > > >
> > > > Jeez, I guess I'm still thinking from old ACRC course.
> > > >
> > > > OK, IPX ether type is 8137 and 8138, so would this ether type
acl
> be
> > > > correct
> > > > for the 3550?
> > > >
> > > > mac access-list extended NO-IPX
> > > > deny any any 0x8137 0x0001
> > > >
> > > > Am I getting warm?
> > > >
> > > > Thanks, Tim
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > <ccielab@groupstudy.com>
> > > > Sent: Tuesday, August 10, 2004 5:33 PM
> > > > Subject: RE: vlan-map filters
> > > >
> > > >
> > > > > What is the Ether-Type value for IPX?
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987 x 705
> > > > > Outside US: 775-826-4344 x 705
> > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
On
> > > Behalf
> > > > > Of
> > > > > > ccie2be
> > > > > > Sent: Tuesday, August 10, 2004 4:17 PM
> > > > > > To: Brian McGahan; Group Study
> > > > > > Subject: Re: vlan-map filters
> > > > > >
> > > > > > Brian,
> > > > > >
> > > > > > Is there a way to explicitly deny IPX traffic on a 3550? I
> > > thought
> > > > > the
> > > > > > 3550
> > > > > > only supports IP and mac address acl's. Am I mistaken?
> > > > > >
> > > > > > Thanks,
> > > > > > ----- Original Message -----
> > > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > > <ccielab@groupstudy.com>
> > > > > > Sent: Tuesday, August 10, 2004 2:41 PM
> > > > > > Subject: RE: vlan-map filters
> > > > > >
> > > > > >
> > > > > > Tim,
> > > > > >
> > > > > > This type of question is really beyond the scope of the lab
> > > > > > exam, as I highly doubt they want you to remember the LSAP
> values
> > > of
> > > > > the
> > > > > > different protocols. Instead, this task is meant to be a
slap
> on
> > > the
> > > > > > wrist to show you how NOT to configure VACLs :)
> > > > > >
> > > > > > Normal ACL filtering dictates that you permit only what you
> > > > > > want, and deny everything else. When using VACLs, you
should
> deny
> > > > > what
> > > > > > you don't want, and permit everything else. Otherwise you
> tend to
> > > > > > forget all the necessary layer 2 protocols that are keeping
> the
> > > > > network
> > > > > > alive.
> > > > > >
> > > > > >
> > > > > > HTH,
> > > > > >
> > > > > > Brian McGahan, CCIE #8593
> > > > > > bmcgahan@internetworkexpert.com
> > > > > >
> > > > > > Internetwork Expert, Inc.
> > > > > > http://www.InternetworkExpert.com
> > > > > > Toll Free: 877-224-8987 x 705
> > > > > > Outside US: 775-826-4344 x 705
> > > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On
> > > Behalf
> > > > > > Of
> > > > > > > ccie2be
> > > > > > > Sent: Tuesday, August 10, 2004 10:38 AM
> > > > > > > To: Group Study
> > > > > > > Subject: vlan-map filters
> > > > > > >
> > > > > > > Hi guys,
> > > > > > >
> > > > > > > From IE lab 11, task 1.16 and 1.17
> > > > > > >
> > > > > > > Problem:
> > > > > > >
> > > > > > > Allow only ip traffic on vlan 56, however, if other behind
> the
> > > > > scenes
> > > > > > > traffic
> > > > > > > is NOT allowed, there'll be big trouble in Cisco lab city.
> > > > > > >
> > > > > > >
> > > > > > > Solution:
> > > > > > >
> > > > > > > ip access-list extended IPONLY
> > > > > > > permit ip any any
> > > > > > > !
> > > > > > > mac access-list extended IP_ARP
> > > > > > > permit any any 0x806 0x0 < --- Can this
> found on
> > > Doc
> > > > > > CD?
> > > > > > >
> > > > > > > mac access-list extended IS-IS
> > > > > > > permit any any lsap 0xFEFE 0x0 < ---- Can this found
on
> Doc
> > > CD?
> > > > > > >
> > > > > > > mac access-list extended IEEE-STP
> > > > > > > permit any any lsap 0x4242 0x0 < ---- Can this
found
> on
> > > Doc
> > > > > > CD?
> > > > > > > !
> > > > > > > vlan access-map IPONLY 10
> > > > > > > action forward
> > > > > > > match ip address IPONLY
> > > > > > >
> > > > > > > vlan access-map IPONLY 20
> > > > > > > action forward
> > > > > > > match mac address IP_ARP
> > > > > > >
> > > > > > > vlan access-map IPONLY 30
> > > > > > > action forward
> > > > > > > match mac address IS-IS
> > > > > > >
> > > > > > > vlan access-map IPONLY 40
> > > > > > > action forward
> > > > > > > match mac address IEEE-STP
> > > > > > >
> > > > > > > vlan access-map IPONLY 50
> > > > > > > action drop
> > > > > > > vlan filter IPONLY vlan-list 56
> > > > > > >
> > > > > > > vlan filter IPONLY vlan-list 56
> > > > > > >
> > > > > > > Question: Does anybody know where on the Doc-CD the codes
> used
> > > > > match
> > > > > > > these
> > > > > > > traffic types can be found? I've looked but came up
empty.
> > > > > > >
> > > > > > > Also, cdp traffic will be dropped by the above vlan
filter.
> Is
> > > that
> > > > > a
> > > > > > > good
> > > > > > > idea?
> > > > > > >
> > > > > > > Thanks, Tim
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > >
>

• Next message: Stefano Lassi: "Permanent debugging configuration"
• Previous message: Xue Fei: "Re: RE: what's the difference between DN and line of Cisco IP"
• Maybe in reply to: Brian McGahan: "RE: vlan-map filters to deny IPX traffic"
• Next in thread: Larry Metzger: "RE: vlan-map filters to deny IPX traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:41 GMT-3