RE: vlan-map filters to deny IPX traffic

From: Larry Metzger (larrymetzger@sbcglobal.net)
Date: Wed Aug 11 2004 - 15:47:27 GMT-3

• Next message: gladston@br.ibm.com: "Re: RE: NAT Outside"
• Previous message: ccie2be: "Re: vlan-map filters to deny IPX traffic"
• Maybe in reply to: Brian McGahan: "RE: vlan-map filters to deny IPX traffic"
• Next in thread: Larry Metzger: "RE: vlan-map filters to deny IPX traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I caught that after I sent the e-mail. Made the change to permit and it
still allows pings.
Larry

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Wednesday, August 11, 2004 11:45 AM
To: Larry Metzger; 'Group Study'
Subject: Re: vlan-map filters to deny IPX traffic

Yes. You made the same mistake that I did and probably most people make.

In your access list, you must PERMIT the traffic to be dropped.

PERMIT = select or match.

Once you specify the traffic in the acl with a PERMIT, you can drop it
in
your vlan map filter.

To test this, configure ipx and ip on both routers. Make sure the ports
connected to both routers are in vlan 300.

Then do an ip ping and an ipx ping.

Out of curiosity, I'd like to know what happens if you use deny in your
mac
access-list.

I'm sure it won't work, but I don't know if you'll get any error
messages.

HTH, Tim
----- Original Message -----
From: "Larry Metzger" <larrymetzger@sbcglobal.net>
To: "'Group Study'" <ccielab@groupstudy.com>
Sent: Wednesday, August 11, 2004 1:00 PM
Subject: RE: vlan-map filters to deny IPX traffic

> Router 1 ---->3550 -----> Router 2
>
> mac access-list extended ipx
> deny any any 0x8137 0x0
> deny any any 0x8138 0x0
> !
> !
> vlan access-map no-ipx 10
> action drop
> match mac address ipx
> vlan access-map no-ipx 20
> action forward
> vlan filter no-ipx vlan-list 300
>
> ***** deny any any 0x8137 0x1 (gets 8136 and 8137)
>
> IPX Ping works fine with this configuration.
> Debug IPX packet only shows the packet send and receive (no
ethertype).
>
> Did I miss something?
> Larry
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Tuesday, August 10, 2004 8:02 PM
> To: Larry Metzger; 'Group Study'
> Subject: Re: vlan-map filters to deny IPX traffic
>
> Hey Larry,
>
> 1) Use a vlan map filter (see 1st post below).
> 2) Apply vlan map filter to vlan with "vlan filter <name of vlan map
> filter>
> vlan-list <vlan #>".
>
> I think the ultimate way to test this is to have multiple devices
> connected
> to ports assigned the same vlan # where at least 2 devices are running
> ipx
> ( a router can simulate an ipx device by doing a ipx ping) and 2 other
> devices are just running ip.
>
> Before applying filter, make sure vlan successfully passes all traffic
-
> ip
> and ipx.
>
> Then apply filter and make sure that ipx traffic is blocked while ip
> traffic
> still passes.
>
> I would also see, if possible, if the ethertype can be determined from
> doing
> a debug ipx packets (or some similar command - I don't know if there's
> actually a debug ipx packet command but guess there is or something
> similar).
>
> If that's possible, that could come in handy one day. Although, since
> ipx
> is no longer included in lab, this type of thing probably wouldn't
show
> up
> in the lab except possibly in the security portion.
>
> HTH, Tim
>
>
> ----- Original Message -----
> From: "Larry Metzger" <larrymetzger@sbcglobal.net>
> To: "'Group Study'" <ccielab@groupstudy.com>
> Sent: Tuesday, August 10, 2004 10:31 PM
> Subject: RE: vlan-map filters to deny IPX traffic
>
>
> > I setup the filter and configured my computer for IPX/SPX. What
> command
> > is needed to see the switch blocking traffic?
> >
> > Larry
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie2be
> > Sent: Tuesday, August 10, 2004 6:19 PM
> > To: Group Study; Brian McGahan
> > Subject: Re: vlan-map filters to deny IPX traffic
> >
> > I'd like to except I don't have access to any 3550's until my next
> rack
> > rental date which isn't until August 24.
> >
> > But, maybe you could tell me what would happen if I tested this.
> Also,
> > to
> > really test this wouldn't I need some source of IPX traffic? Or, is
> > there a
> > way to test this without having a source of IPX traffic?
> >
> > BTW, I found a listing of ethertypes at the link Marvin Greenlee
> posted
> > a
> > bit earlier:
> >
> >
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/cnfg_nts/tok
> > en/4158_02.htm#10845
> >
> > This listing is accurate, isn't it?
> >
> > Thanks
> > ----- Original Message -----
> > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > <ccielab@groupstudy.com>
> > Sent: Tuesday, August 10, 2004 8:47 PM
> > Subject: RE: vlan-map filters to deny IPX traffic
> >
> >
> > > Did you test it? :)
> > >
> > > Brian McGahan, CCIE #8593
> > > bmcgahan@internetworkexpert.com
> > >
> > > Internetwork Expert, Inc.
> > > http://www.InternetworkExpert.com
> > > Toll Free: 877-224-8987 x 705
> > > Outside US: 775-826-4344 x 705
> > > 24/7 Support: http://forum.internetworkexpert.com
> > > Live Chat: http://www.internetworkexpert.com/chat/
> > >
> > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > Of
> > > > ccie2be
> > > > Sent: Tuesday, August 10, 2004 4:59 PM
> > > > To: Brian McGahan; Group Study
> > > > Subject: Re: vlan-map filters to deny IPX traffic
> > > >
> > > > Jeez, I guess I'm still thinking from old ACRC course.
> > > >
> > > > OK, IPX ether type is 8137 and 8138, so would this ether type
acl
> be
> > > > correct
> > > > for the 3550?
> > > >
> > > > mac access-list extended NO-IPX
> > > > deny any any 0x8137 0x0001
> > > >
> > > > Am I getting warm?
> > > >
> > > > Thanks, Tim
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > <ccielab@groupstudy.com>
> > > > Sent: Tuesday, August 10, 2004 5:33 PM
> > > > Subject: RE: vlan-map filters
> > > >
> > > >
> > > > > What is the Ether-Type value for IPX?
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987 x 705
> > > > > Outside US: 775-826-4344 x 705
> > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
On
> > > Behalf
> > > > > Of
> > > > > > ccie2be
> > > > > > Sent: Tuesday, August 10, 2004 4:17 PM
> > > > > > To: Brian McGahan; Group Study
> > > > > > Subject: Re: vlan-map filters
> > > > > >
> > > > > > Brian,
> > > > > >
> > > > > > Is there a way to explicitly deny IPX traffic on a 3550? I
> > > thought
> > > > > the
> > > > > > 3550
> > > > > > only supports IP and mac address acl's. Am I mistaken?
> > > > > >
> > > > > > Thanks,
> > > > > > ----- Original Message -----
> > > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > > <ccielab@groupstudy.com>
> > > > > > Sent: Tuesday, August 10, 2004 2:41 PM
> > > > > > Subject: RE: vlan-map filters
> > > > > >
> > > > > >
> > > > > > Tim,
> > > > > >
> > > > > > This type of question is really beyond the scope of the lab
> > > > > > exam, as I highly doubt they want you to remember the LSAP
> > values
> > > of
> > > > > the
> > > > > > different protocols. Instead, this task is meant to be a
slap
> > on
> > > the
> > > > > > wrist to show you how NOT to configure VACLs :)
> > > > > >
> > > > > > Normal ACL filtering dictates that you permit only what you
> > > > > > want, and deny everything else. When using VACLs, you
should
> > deny
> > > > > what
> > > > > > you don't want, and permit everything else. Otherwise you
> tend
> > to
> > > > > > forget all the necessary layer 2 protocols that are keeping
> the
> > > > > network
> > > > > > alive.
> > > > > >
> > > > > >
> > > > > > HTH,
> > > > > >
> > > > > > Brian McGahan, CCIE #8593
> > > > > > bmcgahan@internetworkexpert.com
> > > > > >
> > > > > > Internetwork Expert, Inc.
> > > > > > http://www.InternetworkExpert.com
> > > > > > Toll Free: 877-224-8987 x 705
> > > > > > Outside US: 775-826-4344 x 705
> > > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On
> > > Behalf
> > > > > > Of
> > > > > > > ccie2be
> > > > > > > Sent: Tuesday, August 10, 2004 10:38 AM
> > > > > > > To: Group Study
> > > > > > > Subject: vlan-map filters
> > > > > > >
> > > > > > > Hi guys,
> > > > > > >
> > > > > > > From IE lab 11, task 1.16 and 1.17
> > > > > > >
> > > > > > > Problem:
> > > > > > >
> > > > > > > Allow only ip traffic on vlan 56, however, if other behind
> the
> > > > > scenes
> > > > > > > traffic
> > > > > > > is NOT allowed, there'll be big trouble in Cisco lab city.
> > > > > > >
> > > > > > >
> > > > > > > Solution:
> > > > > > >
> > > > > > > ip access-list extended IPONLY
> > > > > > > permit ip any any
> > > > > > > !
> > > > > > > mac access-list extended IP_ARP
> > > > > > > permit any any 0x806 0x0 < --- Can this
> found
> > on
> > > Doc
> > > > > > CD?
> > > > > > >
> > > > > > > mac access-list extended IS-IS
> > > > > > > permit any any lsap 0xFEFE 0x0 < ---- Can this found
on
> > Doc
> > > CD?
> > > > > > >
> > > > > > > mac access-list extended IEEE-STP
> > > > > > > permit any any lsap 0x4242 0x0 < ---- Can this
found
> > on
> > > Doc
> > > > > > CD?
> > > > > > > !
> > > > > > > vlan access-map IPONLY 10
> > > > > > > action forward
> > > > > > > match ip address IPONLY
> > > > > > >
> > > > > > > vlan access-map IPONLY 20
> > > > > > > action forward
> > > > > > > match mac address IP_ARP
> > > > > > >
> > > > > > > vlan access-map IPONLY 30
> > > > > > > action forward
> > > > > > > match mac address IS-IS
> > > > > > >
> > > > > > > vlan access-map IPONLY 40
> > > > > > > action forward
> > > > > > > match mac address IEEE-STP
> > > > > > >
> > > > > > > vlan access-map IPONLY 50
> > > > > > > action drop
> > > > > > > vlan filter IPONLY vlan-list 56
> > > > > > >
> > > > > > > vlan filter IPONLY vlan-list 56
> > > > > > >
> > > > > > > Question: Does anybody know where on the Doc-CD the codes
> > used
> > > > > match
> > > > > > > these
> > > > > > > traffic types can be found? I've looked but came up
empty.
> > > > > > >
> > > > > > > Also, cdp traffic will be dropped by the above vlan
filter.
> > Is
> > > that
> > > > > a
> > > > > > > good
> > > > > > > idea?
> > > > > > >
> > > > > > > Thanks, Tim
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > >
> >
>

• Next message: gladston@br.ibm.com: "Re: RE: NAT Outside"
• Previous message: ccie2be: "Re: vlan-map filters to deny IPX traffic"
• Maybe in reply to: Brian McGahan: "RE: vlan-map filters to deny IPX traffic"
• Next in thread: Larry Metzger: "RE: vlan-map filters to deny IPX traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:41 GMT-3