Re: vlan-map filters to deny IPX traffic

From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Aug 11 2004 - 18:48:40 GMT-3

• Next message: Larry Metzger: "RE: vlan-map filters to deny IPX traffic"
• Previous message: Brian McGahan: "RE: IEWB Lab1 - 9.6 - Be calculation"
• Maybe in reply to: ccie2be: "Re: vlan-map filters to deny IPX traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Larry,

To generate an IPX ping, you need to use "ping ipx <addr>". Notice the IPX
following the ping.

Also, your mac acl isn't quite right.

It should be:

mac access-list extended <name>
 permit any any 0x8137 0x0001

The mask allows for both 8137 and 8138.

Try this and let me know what happens.

HTH, Tim

----- Original Message -----
From: "Larry Metzger" <larrymetzger@sbcglobal.net>
To: "'ccie2be'" <ccie2be@nyc.rr.com>
Sent: Wednesday, August 11, 2004 4:50 PM
Subject: RE: vlan-map filters to deny IPX traffic

> bb1#sh ipx int
> Ethernet0 is up, line protocol is up
> IPX address is 1.00e0.1e42.7e94, NOVELL-ETHER [up]
>
> bb3#sh ipx int
> Ethernet1 is up, line protocol is up
> IPX address is 1.0010.7b3c.2c47, NOVELL-ETHER [up]
> *****************************
> bb1#ping 1.0010.7b3c.2c47
> Translating "1.0010.7b3c.2c47"
> Type escape sequence to abort.
> Sending 5, 100-byte IPX Novell Echoes to 1.0010.7b3c.2c47, timeout is 2
> seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
> ----To be safe I also did -----
> bb1#ping
> Protocol [ip]: ipx
> Target IPX address: 1.0010.7b3c.2c47
> Repeat count [5]:
> Datagram size [100]:
> Timeout in seconds [2]:
> Verbose [n]:
> Type escape sequence to abort.
> Sending 5, 100-byte IPX Novell Echoes to 1.0010.7b3c.2c47, timeout is 2
> seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
> *****************************
> Switch 3550
> mac access-list extended ipx
> permit any any 0x8138 0x1
> permit any any 0x8136 0x1
> !
> vlan access-map no-ipx 10
> action drop
> match mac address ipx
> vlan access-map no-ipx 20
> action forward
> vlan filter no-ipx vlan-list 300
> !
> interface FastEthernet0/15
> switchport access vlan 300
> no ip address
> !
> interface FastEthernet0/19
> switchport access vlan 300
> no ip address
> !
> ***********************
> ***********************
> I can ipx ping with the mac access-list. I changed the mac access-list
> to make sure things were working (permit any any) and all traffic was
> blocked on vlan 300.
>
> Let me know if you see something crazy.
>
> Larry
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Wednesday, August 11, 2004 12:47 PM
> To: Larry Metzger; 'Group Study'
> Subject: Re: vlan-map filters to deny IPX traffic
>
> Really, this doesn't work?
>
> Could you post your configs from the routers and 3550?
>
> Also, what command are you using for the ipx pings?
>
>
> ----- Original Message -----
> From: "Larry Metzger" <larrymetzger@sbcglobal.net>
> To: "'Group Study'" <ccielab@groupstudy.com>
> Sent: Wednesday, August 11, 2004 2:47 PM
> Subject: RE: vlan-map filters to deny IPX traffic
>
>
> > I caught that after I sent the e-mail. Made the change to permit and
> it
> > still allows pings.
> > Larry
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie2be
> > Sent: Wednesday, August 11, 2004 11:45 AM
> > To: Larry Metzger; 'Group Study'
> > Subject: Re: vlan-map filters to deny IPX traffic
> >
> > Yes. You made the same mistake that I did and probably most people
> make.
> >
> > In your access list, you must PERMIT the traffic to be dropped.
> >
> > PERMIT = select or match.
> >
> > Once you specify the traffic in the acl with a PERMIT, you can drop it
> > in
> > your vlan map filter.
> >
> > To test this, configure ipx and ip on both routers. Make sure the
> ports
> > connected to both routers are in vlan 300.
> >
> > Then do an ip ping and an ipx ping.
> >
> > Out of curiosity, I'd like to know what happens if you use deny in
> your
> > mac
> > access-list.
> >
> > I'm sure it won't work, but I don't know if you'll get any error
> > messages.
> >
> > HTH, Tim
> > ----- Original Message -----
> > From: "Larry Metzger" <larrymetzger@sbcglobal.net>
> > To: "'Group Study'" <ccielab@groupstudy.com>
> > Sent: Wednesday, August 11, 2004 1:00 PM
> > Subject: RE: vlan-map filters to deny IPX traffic
> >
> >
> > > Router 1 ---->3550 -----> Router 2
> > >
> > > mac access-list extended ipx
> > > deny any any 0x8137 0x0
> > > deny any any 0x8138 0x0
> > > !
> > > !
> > > vlan access-map no-ipx 10
> > > action drop
> > > match mac address ipx
> > > vlan access-map no-ipx 20
> > > action forward
> > > vlan filter no-ipx vlan-list 300
> > >
> > > ***** deny any any 0x8137 0x1 (gets 8136 and 8137)
> > >
> > > IPX Ping works fine with this configuration.
> > > Debug IPX packet only shows the packet send and receive (no
> > ethertype).
> > >
> > > Did I miss something?
> > > Larry
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of
> > > ccie2be
> > > Sent: Tuesday, August 10, 2004 8:02 PM
> > > To: Larry Metzger; 'Group Study'
> > > Subject: Re: vlan-map filters to deny IPX traffic
> > >
> > > Hey Larry,
> > >
> > > 1) Use a vlan map filter (see 1st post below).
> > > 2) Apply vlan map filter to vlan with "vlan filter <name of vlan map
> > > filter>
> > > vlan-list <vlan #>".
> > >
> > > I think the ultimate way to test this is to have multiple devices
> > > connected
> > > to ports assigned the same vlan # where at least 2 devices are
> running
> > > ipx
> > > ( a router can simulate an ipx device by doing a ipx ping) and 2
> other
> > > devices are just running ip.
> > >
> > > Before applying filter, make sure vlan successfully passes all
> traffic
> > -
> > > ip
> > > and ipx.
> > >
> > > Then apply filter and make sure that ipx traffic is blocked while ip
> > > traffic
> > > still passes.
> > >
> > > I would also see, if possible, if the ethertype can be determined
> from
> > > doing
> > > a debug ipx packets (or some similar command - I don't know if
> there's
> > > actually a debug ipx packet command but guess there is or something
> > > similar).
> > >
> > > If that's possible, that could come in handy one day. Although,
> since
> > > ipx
> > > is no longer included in lab, this type of thing probably wouldn't
> > show
> > > up
> > > in the lab except possibly in the security portion.
> > >
> > > HTH, Tim
> > >
> > >
> > > ----- Original Message -----
> > > From: "Larry Metzger" <larrymetzger@sbcglobal.net>
> > > To: "'Group Study'" <ccielab@groupstudy.com>
> > > Sent: Tuesday, August 10, 2004 10:31 PM
> > > Subject: RE: vlan-map filters to deny IPX traffic
> > >
> > >
> > > > I setup the filter and configured my computer for IPX/SPX. What
> > > command
> > > > is needed to see the switch blocking traffic?
> > > >
> > > > Larry
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > Of
> > > > ccie2be
> > > > Sent: Tuesday, August 10, 2004 6:19 PM
> > > > To: Group Study; Brian McGahan
> > > > Subject: Re: vlan-map filters to deny IPX traffic
> > > >
> > > > I'd like to except I don't have access to any 3550's until my next
> > > rack
> > > > rental date which isn't until August 24.
> > > >
> > > > But, maybe you could tell me what would happen if I tested this.
> > > Also,
> > > > to
> > > > really test this wouldn't I need some source of IPX traffic? Or,
> is
> > > > there a
> > > > way to test this without having a source of IPX traffic?
> > > >
> > > > BTW, I found a listing of ethertypes at the link Marvin Greenlee
> > > posted
> > > > a
> > > > bit earlier:
> > > >
> > > >
> > >
> >
> http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/cnfg_nts/tok
> > > > en/4158_02.htm#10845
> > > >
> > > > This listing is accurate, isn't it?
> > > >
> > > > Thanks
> > > > ----- Original Message -----
> > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > <ccielab@groupstudy.com>
> > > > Sent: Tuesday, August 10, 2004 8:47 PM
> > > > Subject: RE: vlan-map filters to deny IPX traffic
> > > >
> > > >
> > > > > Did you test it? :)
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987 x 705
> > > > > Outside US: 775-826-4344 x 705
> > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > > Behalf
> > > > > Of
> > > > > > ccie2be
> > > > > > Sent: Tuesday, August 10, 2004 4:59 PM
> > > > > > To: Brian McGahan; Group Study
> > > > > > Subject: Re: vlan-map filters to deny IPX traffic
> > > > > >
> > > > > > Jeez, I guess I'm still thinking from old ACRC course.
> > > > > >
> > > > > > OK, IPX ether type is 8137 and 8138, so would this ether type
> > acl
> > > be
> > > > > > correct
> > > > > > for the 3550?
> > > > > >
> > > > > > mac access-list extended NO-IPX
> > > > > > deny any any 0x8137 0x0001
> > > > > >
> > > > > > Am I getting warm?
> > > > > >
> > > > > > Thanks, Tim
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > > <ccielab@groupstudy.com>
> > > > > > Sent: Tuesday, August 10, 2004 5:33 PM
> > > > > > Subject: RE: vlan-map filters
> > > > > >
> > > > > >
> > > > > > > What is the Ether-Type value for IPX?
> > > > > > >
> > > > > > > Brian McGahan, CCIE #8593
> > > > > > > bmcgahan@internetworkexpert.com
> > > > > > >
> > > > > > > Internetwork Expert, Inc.
> > > > > > > http://www.InternetworkExpert.com
> > > > > > > Toll Free: 877-224-8987 x 705
> > > > > > > Outside US: 775-826-4344 x 705
> > > > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> > On
> > > > > Behalf
> > > > > > > Of
> > > > > > > > ccie2be
> > > > > > > > Sent: Tuesday, August 10, 2004 4:17 PM
> > > > > > > > To: Brian McGahan; Group Study
> > > > > > > > Subject: Re: vlan-map filters
> > > > > > > >
> > > > > > > > Brian,
> > > > > > > >
> > > > > > > > Is there a way to explicitly deny IPX traffic on a 3550?
> I
> > > > > thought
> > > > > > > the
> > > > > > > > 3550
> > > > > > > > only supports IP and mac address acl's. Am I mistaken?
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > > > > <ccielab@groupstudy.com>
> > > > > > > > Sent: Tuesday, August 10, 2004 2:41 PM
> > > > > > > > Subject: RE: vlan-map filters
> > > > > > > >
> > > > > > > >
> > > > > > > > Tim,
> > > > > > > >
> > > > > > > > This type of question is really beyond the scope of the
> lab
> > > > > > > > exam, as I highly doubt they want you to remember the LSAP
> > > > values
> > > > > of
> > > > > > > the
> > > > > > > > different protocols. Instead, this task is meant to be a
> > slap
> > > > on
> > > > > the
> > > > > > > > wrist to show you how NOT to configure VACLs :)
> > > > > > > >
> > > > > > > > Normal ACL filtering dictates that you permit only what
> you
> > > > > > > > want, and deny everything else. When using VACLs, you
> > should
> > > > deny
> > > > > > > what
> > > > > > > > you don't want, and permit everything else. Otherwise you
> > > tend
> > > > to
> > > > > > > > forget all the necessary layer 2 protocols that are
> keeping
> > > the
> > > > > > > network
> > > > > > > > alive.
> > > > > > > >
> > > > > > > >
> > > > > > > > HTH,
> > > > > > > >
> > > > > > > > Brian McGahan, CCIE #8593
> > > > > > > > bmcgahan@internetworkexpert.com
> > > > > > > >
> > > > > > > > Internetwork Expert, Inc.
> > > > > > > > http://www.InternetworkExpert.com
> > > > > > > > Toll Free: 877-224-8987 x 705
> > > > > > > > Outside US: 775-826-4344 x 705
> > > > > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]
> > > On
> > > > > Behalf
> > > > > > > > Of
> > > > > > > > > ccie2be
> > > > > > > > > Sent: Tuesday, August 10, 2004 10:38 AM
> > > > > > > > > To: Group Study
> > > > > > > > > Subject: vlan-map filters
> > > > > > > > >
> > > > > > > > > Hi guys,
> > > > > > > > >
> > > > > > > > > From IE lab 11, task 1.16 and 1.17
> > > > > > > > >
> > > > > > > > > Problem:
> > > > > > > > >
> > > > > > > > > Allow only ip traffic on vlan 56, however, if other
> behind
> > > the
> > > > > > > scenes
> > > > > > > > > traffic
> > > > > > > > > is NOT allowed, there'll be big trouble in Cisco lab
> city.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Solution:
> > > > > > > > >
> > > > > > > > > ip access-list extended IPONLY
> > > > > > > > > permit ip any any
> > > > > > > > > !
> > > > > > > > > mac access-list extended IP_ARP
> > > > > > > > > permit any any 0x806 0x0 < --- Can this
> > > found
> > > > on
> > > > > Doc
> > > > > > > > CD?
> > > > > > > > >
> > > > > > > > > mac access-list extended IS-IS
> > > > > > > > > permit any any lsap 0xFEFE 0x0 < ---- Can this
> found
> > on
> > > > Doc
> > > > > CD?
> > > > > > > > >
> > > > > > > > > mac access-list extended IEEE-STP
> > > > > > > > > permit any any lsap 0x4242 0x0 < ---- Can this
> > found
> > > > on
> > > > > Doc
> > > > > > > > CD?
> > > > > > > > > !
> > > > > > > > > vlan access-map IPONLY 10
> > > > > > > > > action forward
> > > > > > > > > match ip address IPONLY
> > > > > > > > >
> > > > > > > > > vlan access-map IPONLY 20
> > > > > > > > > action forward
> > > > > > > > > match mac address IP_ARP
> > > > > > > > >
> > > > > > > > > vlan access-map IPONLY 30
> > > > > > > > > action forward
> > > > > > > > > match mac address IS-IS
> > > > > > > > >
> > > > > > > > > vlan access-map IPONLY 40
> > > > > > > > > action forward
> > > > > > > > > match mac address IEEE-STP
> > > > > > > > >
> > > > > > > > > vlan access-map IPONLY 50
> > > > > > > > > action drop
> > > > > > > > > vlan filter IPONLY vlan-list 56
> > > > > > > > >
> > > > > > > > > vlan filter IPONLY vlan-list 56
> > > > > > > > >
> > > > > > > > > Question: Does anybody know where on the Doc-CD the
> codes
> > > > used
> > > > > > > match
> > > > > > > > > these
> > > > > > > > > traffic types can be found? I've looked but came up
> > empty.
> > > > > > > > >
> > > > > > > > > Also, cdp traffic will be dropped by the above vlan
> > filter.
> > > > Is
> > > > > that
> > > > > > > a
> > > > > > > > > good
> > > > > > > > > idea?
> > > > > > > > >
> > > > > > > > > Thanks, Tim
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > > > > > Please help support GroupStudy by purchasing your study
> > > > > materials
> > > > > > > > from:
> > > > > > > > > http://shop.groupstudy.com
> > > > > > > > >
> > > > > > > > > Subscription information may be found at:
> > > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > > > > Please help support GroupStudy by purchasing your study
> > > > materials
> > > > > > > from:
> > > > > > > > http://shop.groupstudy.com
> > > > > > > >
> > > > > > > > Subscription information may be found at:
> > > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > > >
> > > > > > >
> > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > > > Please help support GroupStudy by purchasing your study
> > > materials
> > > > > from:
> > > > > > > http://shop.groupstudy.com
> > > > > > >
> > > > > > > Subscription information may be found at:
> > > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > > Please help support GroupStudy by purchasing your study
> > materials
> > > > > from:
> > > > > > http://shop.groupstudy.com
> > > > > >
> > > > > > Subscription information may be found at:
> > > > > > http://www.groupstudy.com/list/CCIELab.html
> > > > >
> > > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > > Please help support GroupStudy by purchasing your study
> materials
> > > > from:
> > > > > http://shop.groupstudy.com
> > > > >
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > Please help support GroupStudy by purchasing your study materials
> > > from:
> > > > http://shop.groupstudy.com
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > >
> >
> _______________________________________________________________________
> > > > Please help support GroupStudy by purchasing your study materials
> > > from:
> > > > http://shop.groupstudy.com
> > > >
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> > from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> >
> _______________________________________________________________________
> > > Please help support GroupStudy by purchasing your study materials
> > from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > http://shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Larry Metzger: "RE: vlan-map filters to deny IPX traffic"
• Previous message: Brian McGahan: "RE: IEWB Lab1 - 9.6 - Be calculation"
• Maybe in reply to: ccie2be: "Re: vlan-map filters to deny IPX traffic"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:42 GMT-3