Re: vlan-map filters to deny IPX traffic

From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Aug 11 2004 - 16:47:11 GMT-3

Really, this doesn't work?

Could you post your configs from the routers and 3550?

Also, what command are you using for the ipx pings?

----- Original Message -----
From: "Larry Metzger" <larrymetzger@sbcglobal.net>
To: "'Group Study'" <ccielab@groupstudy.com>
Sent: Wednesday, August 11, 2004 2:47 PM
Subject: RE: vlan-map filters to deny IPX traffic

> I caught that after I sent the e-mail. Made the change to permit and it
> still allows pings.
> Larry
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Wednesday, August 11, 2004 11:45 AM
> To: Larry Metzger; 'Group Study'
> Subject: Re: vlan-map filters to deny IPX traffic
>
> Yes. You made the same mistake that I did and probably most people make.
>
> In your access list, you must PERMIT the traffic to be dropped.
>
> PERMIT = select or match.
>
> Once you specify the traffic in the acl with a PERMIT, you can drop it
> in
> your vlan map filter.
>
> To test this, configure ipx and ip on both routers. Make sure the ports
> connected to both routers are in vlan 300.
>
> Then do an ip ping and an ipx ping.
>
> Out of curiosity, I'd like to know what happens if you use deny in your
> mac
> access-list.
>
> I'm sure it won't work, but I don't know if you'll get any error
> messages.
>
> HTH, Tim
> ----- Original Message -----
> From: "Larry Metzger" <larrymetzger@sbcglobal.net>
> To: "'Group Study'" <ccielab@groupstudy.com>
> Sent: Wednesday, August 11, 2004 1:00 PM
> Subject: RE: vlan-map filters to deny IPX traffic
>
>
> > Router 1 ---->3550 -----> Router 2
> >
> > mac access-list extended ipx
> > deny any any 0x8137 0x0
> > deny any any 0x8138 0x0
> > !
> > !
> > vlan access-map no-ipx 10
> > action drop
> > match mac address ipx
> > vlan access-map no-ipx 20
> > action forward
> > vlan filter no-ipx vlan-list 300
> >
> > ***** deny any any 0x8137 0x1 (gets 8136 and 8137)
> >
> > IPX Ping works fine with this configuration.
> > Debug IPX packet only shows the packet send and receive (no
> ethertype).
> >
> > Did I miss something?
> > Larry
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie2be
> > Sent: Tuesday, August 10, 2004 8:02 PM
> > To: Larry Metzger; 'Group Study'
> > Subject: Re: vlan-map filters to deny IPX traffic
> >
> > Hey Larry,
> >
> > 1) Use a vlan map filter (see 1st post below).
> > 2) Apply vlan map filter to vlan with "vlan filter <name of vlan map
> > filter>
> > vlan-list <vlan #>".
> >
> > I think the ultimate way to test this is to have multiple devices
> > connected
> > to ports assigned the same vlan # where at least 2 devices are running
> > ipx
> > ( a router can simulate an ipx device by doing a ipx ping) and 2 other
> > devices are just running ip.
> >
> > Before applying filter, make sure vlan successfully passes all traffic
> -
> > ip
> > and ipx.
> >
> > Then apply filter and make sure that ipx traffic is blocked while ip
> > traffic
> > still passes.
> >
> > I would also see, if possible, if the ethertype can be determined from
> > doing
> > a debug ipx packets (or some similar command - I don't know if there's
> > actually a debug ipx packet command but guess there is or something
> > similar).
> >
> > If that's possible, that could come in handy one day. Although, since
> > ipx
> > is no longer included in lab, this type of thing probably wouldn't
> show
> > up
> > in the lab except possibly in the security portion.
> >
> > HTH, Tim
> >
> >
> > ----- Original Message -----
> > From: "Larry Metzger" <larrymetzger@sbcglobal.net>
> > To: "'Group Study'" <ccielab@groupstudy.com>
> > Sent: Tuesday, August 10, 2004 10:31 PM
> > Subject: RE: vlan-map filters to deny IPX traffic
> >
> >
> > > I setup the filter and configured my computer for IPX/SPX. What
> > command
> > > is needed to see the switch blocking traffic?
> > >
> > > Larry
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > ccie2be
> > > Sent: Tuesday, August 10, 2004 6:19 PM
> > > To: Group Study; Brian McGahan
> > > Subject: Re: vlan-map filters to deny IPX traffic
> > >
> > > I'd like to except I don't have access to any 3550's until my next
> > rack
> > > rental date which isn't until August 24.
> > >
> > > But, maybe you could tell me what would happen if I tested this.
> > Also,
> > > to
> > > really test this wouldn't I need some source of IPX traffic? Or, is
> > > there a
> > > way to test this without having a source of IPX traffic?
> > >
> > > BTW, I found a listing of ethertypes at the link Marvin Greenlee
> > posted
> > > a
> > > bit earlier:
> > >
> > >
> >
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/cnfg_nts/tok
> > > en/4158_02.htm#10845
> > >
> > > This listing is accurate, isn't it?
> > >
> > > Thanks
> > > ----- Original Message -----
> > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > <ccielab@groupstudy.com>
> > > Sent: Tuesday, August 10, 2004 8:47 PM
> > > Subject: RE: vlan-map filters to deny IPX traffic
> > >
> > >
> > > > Did you test it? :)
> > > >
> > > > Brian McGahan, CCIE #8593
> > > > bmcgahan@internetworkexpert.com
> > > >
> > > > Internetwork Expert, Inc.
> > > > http://www.InternetworkExpert.com
> > > > Toll Free: 877-224-8987 x 705
> > > > Outside US: 775-826-4344 x 705
> > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf
> > > > Of
> > > > > ccie2be
> > > > > Sent: Tuesday, August 10, 2004 4:59 PM
> > > > > To: Brian McGahan; Group Study
> > > > > Subject: Re: vlan-map filters to deny IPX traffic
> > > > >
> > > > > Jeez, I guess I'm still thinking from old ACRC course.
> > > > >
> > > > > OK, IPX ether type is 8137 and 8138, so would this ether type
> acl
> > be
> > > > > correct
> > > > > for the 3550?
> > > > >
> > > > > mac access-list extended NO-IPX
> > > > > deny any any 0x8137 0x0001
> > > > >
> > > > > Am I getting warm?
> > > > >
> > > > > Thanks, Tim
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > <ccielab@groupstudy.com>
> > > > > Sent: Tuesday, August 10, 2004 5:33 PM
> > > > > Subject: RE: vlan-map filters
> > > > >
> > > > >
> > > > > > What is the Ether-Type value for IPX?
> > > > > >
> > > > > > Brian McGahan, CCIE #8593
> > > > > > bmcgahan@internetworkexpert.com
> > > > > >
> > > > > > Internetwork Expert, Inc.
> > > > > > http://www.InternetworkExpert.com
> > > > > > Toll Free: 877-224-8987 x 705
> > > > > > Outside US: 775-826-4344 x 705
> > > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On
> > > > Behalf
> > > > > > Of
> > > > > > > ccie2be
> > > > > > > Sent: Tuesday, August 10, 2004 4:17 PM
> > > > > > > To: Brian McGahan; Group Study
> > > > > > > Subject: Re: vlan-map filters
> > > > > > >
> > > > > > > Brian,
> > > > > > >
> > > > > > > Is there a way to explicitly deny IPX traffic on a 3550? I
> > > > thought
> > > > > > the
> > > > > > > 3550
> > > > > > > only supports IP and mac address acl's. Am I mistaken?
> > > > > > >
> > > > > > > Thanks,
> > > > > > > ----- Original Message -----
> > > > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > > > <ccielab@groupstudy.com>
> > > > > > > Sent: Tuesday, August 10, 2004 2:41 PM
> > > > > > > Subject: RE: vlan-map filters
> > > > > > >
> > > > > > >
> > > > > > > Tim,
> > > > > > >
> > > > > > > This type of question is really beyond the scope of the lab
> > > > > > > exam, as I highly doubt they want you to remember the LSAP
> > > values
> > > > of
> > > > > > the
> > > > > > > different protocols. Instead, this task is meant to be a
> slap
> > > on
> > > > the
> > > > > > > wrist to show you how NOT to configure VACLs :)
> > > > > > >
> > > > > > > Normal ACL filtering dictates that you permit only what you
> > > > > > > want, and deny everything else. When using VACLs, you
> should
> > > deny
> > > > > > what
> > > > > > > you don't want, and permit everything else. Otherwise you
> > tend
> > > to
> > > > > > > forget all the necessary layer 2 protocols that are keeping
> > the
> > > > > > network
> > > > > > > alive.
> > > > > > >
> > > > > > >
> > > > > > > HTH,
> > > > > > >
> > > > > > > Brian McGahan, CCIE #8593
> > > > > > > bmcgahan@internetworkexpert.com
> > > > > > >
> > > > > > > Internetwork Expert, Inc.
> > > > > > > http://www.InternetworkExpert.com
> > > > > > > Toll Free: 877-224-8987 x 705
> > > > > > > Outside US: 775-826-4344 x 705
> > > > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> > On
> > > > Behalf
> > > > > > > Of
> > > > > > > > ccie2be
> > > > > > > > Sent: Tuesday, August 10, 2004 10:38 AM
> > > > > > > > To: Group Study
> > > > > > > > Subject: vlan-map filters
> > > > > > > >
> > > > > > > > Hi guys,
> > > > > > > >
> > > > > > > > From IE lab 11, task 1.16 and 1.17
> > > > > > > >
> > > > > > > > Problem:
> > > > > > > >
> > > > > > > > Allow only ip traffic on vlan 56, however, if other behind
> > the
> > > > > > scenes
> > > > > > > > traffic
> > > > > > > > is NOT allowed, there'll be big trouble in Cisco lab city.
> > > > > > > >
> > > > > > > >
> > > > > > > > Solution:
> > > > > > > >
> > > > > > > > ip access-list extended IPONLY
> > > > > > > > permit ip any any
> > > > > > > > !
> > > > > > > > mac access-list extended IP_ARP
> > > > > > > > permit any any 0x806 0x0 < --- Can this
> > found
> > > on
> > > > Doc
> > > > > > > CD?
> > > > > > > >
> > > > > > > > mac access-list extended IS-IS
> > > > > > > > permit any any lsap 0xFEFE 0x0 < ---- Can this found
> on
> > > Doc
> > > > CD?
> > > > > > > >
> > > > > > > > mac access-list extended IEEE-STP
> > > > > > > > permit any any lsap 0x4242 0x0 < ---- Can this
> found
> > > on
> > > > Doc
> > > > > > > CD?
> > > > > > > > !
> > > > > > > > vlan access-map IPONLY 10
> > > > > > > > action forward
> > > > > > > > match ip address IPONLY
> > > > > > > >
> > > > > > > > vlan access-map IPONLY 20
> > > > > > > > action forward
> > > > > > > > match mac address IP_ARP
> > > > > > > >
> > > > > > > > vlan access-map IPONLY 30
> > > > > > > > action forward
> > > > > > > > match mac address IS-IS
> > > > > > > >
> > > > > > > > vlan access-map IPONLY 40
> > > > > > > > action forward
> > > > > > > > match mac address IEEE-STP
> > > > > > > >
> > > > > > > > vlan access-map IPONLY 50
> > > > > > > > action drop
> > > > > > > > vlan filter IPONLY vlan-list 56
> > > > > > > >
> > > > > > > > vlan filter IPONLY vlan-list 56
> > > > > > > >
> > > > > > > > Question: Does anybody know where on the Doc-CD the codes
> > > used
> > > > > > match
> > > > > > > > these
> > > > > > > > traffic types can be found? I've looked but came up
> empty.
> > > > > > > >
> > > > > > > > Also, cdp traffic will be dropped by the above vlan
> filter.
> > > Is
> > > > that
> > > > > > a
> > > > > > > > good
> > > > > > > > idea?
> > > > > > > >
> > > > > > > > Thanks, Tim
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > > > > Please help support GroupStudy by purchasing your study
> > > > materials
> > > > > > > from:
> > > > > > > > http://shop.groupstudy.com
> > > > > > > >
> > > > > > > > Subscription information may be found at:
> > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > >
> > > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > > > Please help support GroupStudy by purchasing your study
> > > materials
> > > > > > from:
> > > > > > > http://shop.groupstudy.com
> > > > > > >
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > >
> > > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > > Please help support GroupStudy by purchasing your study
> > materials
> > > > from:
> > > > > > http://shop.groupstudy.com
> > > > > >
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > Please help support GroupStudy by purchasing your study
> materials
> > > > from:
> > > > > http://shop.groupstudy.com
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > Please help support GroupStudy by purchasing your study materials
> > > from:
> > > > http://shop.groupstudy.com
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> > from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> > from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:41 GMT-3