RE: vlan-map filters to deny IPX traffic

From: Larry Metzger (larrymetzger@sbcglobal.net)
Date: Wed Aug 11 2004 - 14:00:40 GMT-3

• Next message: gladston@br.ibm.com: "NAT Outside"
• Previous message: john matijevic: "RE: CCIE PRACTICE LABS (cisco press) lab1"
• Maybe in reply to: Brian McGahan: "RE: vlan-map filters to deny IPX traffic"
• Next in thread: Larry Metzger: "RE: vlan-map filters to deny IPX traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Router 1 ---->3550 -----> Router 2

mac access-list extended ipx
 deny any any 0x8137 0x0
 deny any any 0x8138 0x0
!
!
vlan access-map no-ipx 10
 action drop
 match mac address ipx
vlan access-map no-ipx 20
 action forward
vlan filter no-ipx vlan-list 300

***** deny any any 0x8137 0x1 (gets 8136 and 8137)

IPX Ping works fine with this configuration.
Debug IPX packet only shows the packet send and receive (no ethertype).

Did I miss something?
Larry

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Tuesday, August 10, 2004 8:02 PM
To: Larry Metzger; 'Group Study'
Subject: Re: vlan-map filters to deny IPX traffic

Hey Larry,

1) Use a vlan map filter (see 1st post below).
2) Apply vlan map filter to vlan with "vlan filter <name of vlan map
filter>
vlan-list <vlan #>".

I think the ultimate way to test this is to have multiple devices
connected
to ports assigned the same vlan # where at least 2 devices are running
ipx
( a router can simulate an ipx device by doing a ipx ping) and 2 other
devices are just running ip.

Before applying filter, make sure vlan successfully passes all traffic -
ip
and ipx.

Then apply filter and make sure that ipx traffic is blocked while ip
traffic
still passes.

I would also see, if possible, if the ethertype can be determined from
doing
a debug ipx packets (or some similar command - I don't know if there's
actually a debug ipx packet command but guess there is or something
similar).

If that's possible, that could come in handy one day. Although, since
ipx
is no longer included in lab, this type of thing probably wouldn't show
up
in the lab except possibly in the security portion.

HTH, Tim

----- Original Message -----
From: "Larry Metzger" <larrymetzger@sbcglobal.net>
To: "'Group Study'" <ccielab@groupstudy.com>
Sent: Tuesday, August 10, 2004 10:31 PM
Subject: RE: vlan-map filters to deny IPX traffic

> I setup the filter and configured my computer for IPX/SPX. What
command
> is needed to see the switch blocking traffic?
>
> Larry
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Tuesday, August 10, 2004 6:19 PM
> To: Group Study; Brian McGahan
> Subject: Re: vlan-map filters to deny IPX traffic
>
> I'd like to except I don't have access to any 3550's until my next
rack
> rental date which isn't until August 24.
>
> But, maybe you could tell me what would happen if I tested this.
Also,
> to
> really test this wouldn't I need some source of IPX traffic? Or, is
> there a
> way to test this without having a source of IPX traffic?
>
> BTW, I found a listing of ethertypes at the link Marvin Greenlee
posted
> a
> bit earlier:
>
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/cnfg_nts/tok
> en/4158_02.htm#10845
>
> This listing is accurate, isn't it?
>
> Thanks
> ----- Original Message -----
> From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> <ccielab@groupstudy.com>
> Sent: Tuesday, August 10, 2004 8:47 PM
> Subject: RE: vlan-map filters to deny IPX traffic
>
>
> > Did you test it? :)
> >
> > Brian McGahan, CCIE #8593
> > bmcgahan@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com
> > Toll Free: 877-224-8987 x 705
> > Outside US: 775-826-4344 x 705
> > 24/7 Support: http://forum.internetworkexpert.com
> > Live Chat: http://www.internetworkexpert.com/chat/
> >
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > ccie2be
> > > Sent: Tuesday, August 10, 2004 4:59 PM
> > > To: Brian McGahan; Group Study
> > > Subject: Re: vlan-map filters to deny IPX traffic
> > >
> > > Jeez, I guess I'm still thinking from old ACRC course.
> > >
> > > OK, IPX ether type is 8137 and 8138, so would this ether type acl
be
> > > correct
> > > for the 3550?
> > >
> > > mac access-list extended NO-IPX
> > > deny any any 0x8137 0x0001
> > >
> > > Am I getting warm?
> > >
> > > Thanks, Tim
> > >
> > >
> > > ----- Original Message -----
> > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > <ccielab@groupstudy.com>
> > > Sent: Tuesday, August 10, 2004 5:33 PM
> > > Subject: RE: vlan-map filters
> > >
> > >
> > > > What is the Ether-Type value for IPX?
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > bmcgahan@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987 x 705
> > > > Outside US: 775-826-4344 x 705
> > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf
> > > > Of
> > > > > ccie2be
> > > > > Sent: Tuesday, August 10, 2004 4:17 PM
> > > > > To: Brian McGahan; Group Study
> > > > > Subject: Re: vlan-map filters
> > > > >
> > > > > Brian,
> > > > >
> > > > > Is there a way to explicitly deny IPX traffic on a 3550? I
> > thought
> > > > the
> > > > > 3550
> > > > > only supports IP and mac address acl's. Am I mistaken?
> > > > >
> > > > > Thanks,
> > > > > ----- Original Message -----
> > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > <ccielab@groupstudy.com>
> > > > > Sent: Tuesday, August 10, 2004 2:41 PM
> > > > > Subject: RE: vlan-map filters
> > > > >
> > > > >
> > > > > Tim,
> > > > >
> > > > > This type of question is really beyond the scope of the lab
> > > > > exam, as I highly doubt they want you to remember the LSAP
> values
> > of
> > > > the
> > > > > different protocols. Instead, this task is meant to be a slap
> on
> > the
> > > > > wrist to show you how NOT to configure VACLs :)
> > > > >
> > > > > Normal ACL filtering dictates that you permit only what you
> > > > > want, and deny everything else. When using VACLs, you should
> deny
> > > > what
> > > > > you don't want, and permit everything else. Otherwise you
tend
> to
> > > > > forget all the necessary layer 2 protocols that are keeping
the
> > > > network
> > > > > alive.
> > > > >
> > > > >
> > > > > HTH,
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987 x 705
> > > > > Outside US: 775-826-4344 x 705
> > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
On
> > Behalf
> > > > > Of
> > > > > > ccie2be
> > > > > > Sent: Tuesday, August 10, 2004 10:38 AM
> > > > > > To: Group Study
> > > > > > Subject: vlan-map filters
> > > > > >
> > > > > > Hi guys,
> > > > > >
> > > > > > From IE lab 11, task 1.16 and 1.17
> > > > > >
> > > > > > Problem:
> > > > > >
> > > > > > Allow only ip traffic on vlan 56, however, if other behind
the
> > > > scenes
> > > > > > traffic
> > > > > > is NOT allowed, there'll be big trouble in Cisco lab city.
> > > > > >
> > > > > >
> > > > > > Solution:
> > > > > >
> > > > > > ip access-list extended IPONLY
> > > > > > permit ip any any
> > > > > > !
> > > > > > mac access-list extended IP_ARP
> > > > > > permit any any 0x806 0x0 < --- Can this
found
> on
> > Doc
> > > > > CD?
> > > > > >
> > > > > > mac access-list extended IS-IS
> > > > > > permit any any lsap 0xFEFE 0x0 < ---- Can this found on
> Doc
> > CD?
> > > > > >
> > > > > > mac access-list extended IEEE-STP
> > > > > > permit any any lsap 0x4242 0x0 < ---- Can this found
> on
> > Doc
> > > > > CD?
> > > > > > !
> > > > > > vlan access-map IPONLY 10
> > > > > > action forward
> > > > > > match ip address IPONLY
> > > > > >
> > > > > > vlan access-map IPONLY 20
> > > > > > action forward
> > > > > > match mac address IP_ARP
> > > > > >
> > > > > > vlan access-map IPONLY 30
> > > > > > action forward
> > > > > > match mac address IS-IS
> > > > > >
> > > > > > vlan access-map IPONLY 40
> > > > > > action forward
> > > > > > match mac address IEEE-STP
> > > > > >
> > > > > > vlan access-map IPONLY 50
> > > > > > action drop
> > > > > > vlan filter IPONLY vlan-list 56
> > > > > >
> > > > > > vlan filter IPONLY vlan-list 56
> > > > > >
> > > > > > Question: Does anybody know where on the Doc-CD the codes
> used
> > > > match
> > > > > > these
> > > > > > traffic types can be found? I've looked but came up empty.
> > > > > >
> > > > > > Also, cdp traffic will be dropped by the above vlan filter.
> Is
> > that
> > > > a
> > > > > > good
> > > > > > idea?
> > > > > >
> > > > > > Thanks, Tim
> > > > > >
> > > > > >
> > > > >
> > > >
> >
>

• Next message: gladston@br.ibm.com: "NAT Outside"
• Previous message: john matijevic: "RE: CCIE PRACTICE LABS (cisco press) lab1"
• Maybe in reply to: Brian McGahan: "RE: vlan-map filters to deny IPX traffic"
• Next in thread: Larry Metzger: "RE: vlan-map filters to deny IPX traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:41 GMT-3