RE: vlan-map filters to deny IPX traffic

From: Larry Metzger (larrymetzger@sbcglobal.net)
Date: Wed Aug 11 2004 - 18:56:33 GMT-3

Tim,
The ping is correct (notice it calls out ipx novell and to be sure I did
the extended ping....but to satisfy the urge I did your ping ipx and it
gave exactly the same output as both of the others). The IOS recognized
the ping 1.0010.7b3c.2c47 as an ipx address. Moving on....

The permit any any 0x8137 0x0001 becomes 0x8136 0x0001 (you are allowing
the last bit to change so it gets 6 and 7 not 7 and 8). I have also
tried it with the exact options of 0x8137 0x0000 and 0x8138 0x0000 (each
on their own permit line).

Larry

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Wednesday, August 11, 2004 2:49 PM
To: Group Study; Larry Metzger
Subject: Re: vlan-map filters to deny IPX traffic

Larry,

To generate an IPX ping, you need to use "ping ipx <addr>". Notice the
IPX
following the ping.

Also, your mac acl isn't quite right.

It should be:

mac access-list extended <name>
 permit any any 0x8137 0x0001

The mask allows for both 8137 and 8138.

Try this and let me know what happens.

HTH, Tim

----- Original Message -----
From: "Larry Metzger" <larrymetzger@sbcglobal.net>
To: "'ccie2be'" <ccie2be@nyc.rr.com>
Sent: Wednesday, August 11, 2004 4:50 PM
Subject: RE: vlan-map filters to deny IPX traffic

> bb1#sh ipx int
> Ethernet0 is up, line protocol is up
> IPX address is 1.00e0.1e42.7e94, NOVELL-ETHER [up]
>
> bb3#sh ipx int
> Ethernet1 is up, line protocol is up
> IPX address is 1.0010.7b3c.2c47, NOVELL-ETHER [up]
> *****************************
> bb1#ping 1.0010.7b3c.2c47
> Translating "1.0010.7b3c.2c47"
> Type escape sequence to abort.
> Sending 5, 100-byte IPX Novell Echoes to 1.0010.7b3c.2c47, timeout is
2
> seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
> ----To be safe I also did -----
> bb1#ping
> Protocol [ip]: ipx
> Target IPX address: 1.0010.7b3c.2c47
> Repeat count [5]:
> Datagram size [100]:
> Timeout in seconds [2]:
> Verbose [n]:
> Type escape sequence to abort.
> Sending 5, 100-byte IPX Novell Echoes to 1.0010.7b3c.2c47, timeout is
2
> seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
> *****************************
> Switch 3550
> mac access-list extended ipx
> permit any any 0x8138 0x1
> permit any any 0x8136 0x1
> !
> vlan access-map no-ipx 10
> action drop
> match mac address ipx
> vlan access-map no-ipx 20
> action forward
> vlan filter no-ipx vlan-list 300
> !
> interface FastEthernet0/15
> switchport access vlan 300
> no ip address
> !
> interface FastEthernet0/19
> switchport access vlan 300
> no ip address
> !
> ***********************
> ***********************
> I can ipx ping with the mac access-list. I changed the mac
access-list
> to make sure things were working (permit any any) and all traffic was
> blocked on vlan 300.
>
> Let me know if you see something crazy.
>
> Larry
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Wednesday, August 11, 2004 12:47 PM
> To: Larry Metzger; 'Group Study'
> Subject: Re: vlan-map filters to deny IPX traffic
>
> Really, this doesn't work?
>
> Could you post your configs from the routers and 3550?
>
> Also, what command are you using for the ipx pings?
>
>
> ----- Original Message -----
> From: "Larry Metzger" <larrymetzger@sbcglobal.net>
> To: "'Group Study'" <ccielab@groupstudy.com>
> Sent: Wednesday, August 11, 2004 2:47 PM
> Subject: RE: vlan-map filters to deny IPX traffic
>
>
> > I caught that after I sent the e-mail. Made the change to permit
and
> it
> > still allows pings.
> > Larry
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > ccie2be
> > Sent: Wednesday, August 11, 2004 11:45 AM
> > To: Larry Metzger; 'Group Study'
> > Subject: Re: vlan-map filters to deny IPX traffic
> >
> > Yes. You made the same mistake that I did and probably most people
> make.
> >
> > In your access list, you must PERMIT the traffic to be dropped.
> >
> > PERMIT = select or match.
> >
> > Once you specify the traffic in the acl with a PERMIT, you can drop
it
> > in
> > your vlan map filter.
> >
> > To test this, configure ipx and ip on both routers. Make sure the
> ports
> > connected to both routers are in vlan 300.
> >
> > Then do an ip ping and an ipx ping.
> >
> > Out of curiosity, I'd like to know what happens if you use deny in
> your
> > mac
> > access-list.
> >
> > I'm sure it won't work, but I don't know if you'll get any error
> > messages.
> >
> > HTH, Tim
> > ----- Original Message -----
> > From: "Larry Metzger" <larrymetzger@sbcglobal.net>
> > To: "'Group Study'" <ccielab@groupstudy.com>
> > Sent: Wednesday, August 11, 2004 1:00 PM
> > Subject: RE: vlan-map filters to deny IPX traffic
> >
> >
> > > Router 1 ---->3550 -----> Router 2
> > >
> > > mac access-list extended ipx
> > > deny any any 0x8137 0x0
> > > deny any any 0x8138 0x0
> > > !
> > > !
> > > vlan access-map no-ipx 10
> > > action drop
> > > match mac address ipx
> > > vlan access-map no-ipx 20
> > > action forward
> > > vlan filter no-ipx vlan-list 300
> > >
> > > ***** deny any any 0x8137 0x1 (gets 8136 and 8137)
> > >
> > > IPX Ping works fine with this configuration.
> > > Debug IPX packet only shows the packet send and receive (no
> > ethertype).
> > >
> > > Did I miss something?
> > > Larry
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > Of
> > > ccie2be
> > > Sent: Tuesday, August 10, 2004 8:02 PM
> > > To: Larry Metzger; 'Group Study'
> > > Subject: Re: vlan-map filters to deny IPX traffic
> > >
> > > Hey Larry,
> > >
> > > 1) Use a vlan map filter (see 1st post below).
> > > 2) Apply vlan map filter to vlan with "vlan filter <name of vlan
map
> > > filter>
> > > vlan-list <vlan #>".
> > >
> > > I think the ultimate way to test this is to have multiple devices
> > > connected
> > > to ports assigned the same vlan # where at least 2 devices are
> running
> > > ipx
> > > ( a router can simulate an ipx device by doing a ipx ping) and 2
> other
> > > devices are just running ip.
> > >
> > > Before applying filter, make sure vlan successfully passes all
> traffic
> > -
> > > ip
> > > and ipx.
> > >
> > > Then apply filter and make sure that ipx traffic is blocked while
ip
> > > traffic
> > > still passes.
> > >
> > > I would also see, if possible, if the ethertype can be determined
> from
> > > doing
> > > a debug ipx packets (or some similar command - I don't know if
> there's
> > > actually a debug ipx packet command but guess there is or
something
> > > similar).
> > >
> > > If that's possible, that could come in handy one day. Although,
> since
> > > ipx
> > > is no longer included in lab, this type of thing probably wouldn't
> > show
> > > up
> > > in the lab except possibly in the security portion.
> > >
> > > HTH, Tim
> > >
> > >
> > > ----- Original Message -----
> > > From: "Larry Metzger" <larrymetzger@sbcglobal.net>
> > > To: "'Group Study'" <ccielab@groupstudy.com>
> > > Sent: Tuesday, August 10, 2004 10:31 PM
> > > Subject: RE: vlan-map filters to deny IPX traffic
> > >
> > >
> > > > I setup the filter and configured my computer for IPX/SPX. What
> > > command
> > > > is needed to see the switch blocking traffic?
> > > >
> > > > Larry
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf
> > > Of
> > > > ccie2be
> > > > Sent: Tuesday, August 10, 2004 6:19 PM
> > > > To: Group Study; Brian McGahan
> > > > Subject: Re: vlan-map filters to deny IPX traffic
> > > >
> > > > I'd like to except I don't have access to any 3550's until my
next
> > > rack
> > > > rental date which isn't until August 24.
> > > >
> > > > But, maybe you could tell me what would happen if I tested this.
> > > Also,
> > > > to
> > > > really test this wouldn't I need some source of IPX traffic?
Or,
> is
> > > > there a
> > > > way to test this without having a source of IPX traffic?
> > > >
> > > > BTW, I found a listing of ethertypes at the link Marvin Greenlee
> > > posted
> > > > a
> > > > bit earlier:
> > > >
> > > >
> > >
> >
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/cnfg_nts/tok
> > > > en/4158_02.htm#10845
> > > >
> > > > This listing is accurate, isn't it?
> > > >
> > > > Thanks
> > > > ----- Original Message -----
> > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > <ccielab@groupstudy.com>
> > > > Sent: Tuesday, August 10, 2004 8:47 PM
> > > > Subject: RE: vlan-map filters to deny IPX traffic
> > > >
> > > >
> > > > > Did you test it? :)
> > > > >
> > > > > Brian McGahan, CCIE #8593
> > > > > bmcgahan@internetworkexpert.com
> > > > >
> > > > > Internetwork Expert, Inc.
> > > > > http://www.InternetworkExpert.com
> > > > > Toll Free: 877-224-8987 x 705
> > > > > Outside US: 775-826-4344 x 705
> > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
On
> > > Behalf
> > > > > Of
> > > > > > ccie2be
> > > > > > Sent: Tuesday, August 10, 2004 4:59 PM
> > > > > > To: Brian McGahan; Group Study
> > > > > > Subject: Re: vlan-map filters to deny IPX traffic
> > > > > >
> > > > > > Jeez, I guess I'm still thinking from old ACRC course.
> > > > > >
> > > > > > OK, IPX ether type is 8137 and 8138, so would this ether
type
> > acl
> > > be
> > > > > > correct
> > > > > > for the 3550?
> > > > > >
> > > > > > mac access-list extended NO-IPX
> > > > > > deny any any 0x8137 0x0001
> > > > > >
> > > > > > Am I getting warm?
> > > > > >
> > > > > > Thanks, Tim
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > > <ccielab@groupstudy.com>
> > > > > > Sent: Tuesday, August 10, 2004 5:33 PM
> > > > > > Subject: RE: vlan-map filters
> > > > > >
> > > > > >
> > > > > > > What is the Ether-Type value for IPX?
> > > > > > >
> > > > > > > Brian McGahan, CCIE #8593
> > > > > > > bmcgahan@internetworkexpert.com
> > > > > > >
> > > > > > > Internetwork Expert, Inc.
> > > > > > > http://www.InternetworkExpert.com
> > > > > > > Toll Free: 877-224-8987 x 705
> > > > > > > Outside US: 775-826-4344 x 705
> > > > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > > > >
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: nobody@groupstudy.com
[mailto:nobody@groupstudy.com]
> > On
> > > > > Behalf
> > > > > > > Of
> > > > > > > > ccie2be
> > > > > > > > Sent: Tuesday, August 10, 2004 4:17 PM
> > > > > > > > To: Brian McGahan; Group Study
> > > > > > > > Subject: Re: vlan-map filters
> > > > > > > >
> > > > > > > > Brian,
> > > > > > > >
> > > > > > > > Is there a way to explicitly deny IPX traffic on a 3550?
> I
> > > > > thought
> > > > > > > the
> > > > > > > > 3550
> > > > > > > > only supports IP and mac address acl's. Am I mistaken?
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Brian McGahan" <bmcgahan@internetworkexpert.com>
> > > > > > > > To: "ccie2be" <ccie2be@nyc.rr.com>; "Group Study"
> > > > > > > <ccielab@groupstudy.com>
> > > > > > > > Sent: Tuesday, August 10, 2004 2:41 PM
> > > > > > > > Subject: RE: vlan-map filters
> > > > > > > >
> > > > > > > >
> > > > > > > > Tim,
> > > > > > > >
> > > > > > > > This type of question is really beyond the scope of the
> lab
> > > > > > > > exam, as I highly doubt they want you to remember the
LSAP
> > > > values
> > > > > of
> > > > > > > the
> > > > > > > > different protocols. Instead, this task is meant to be
a
> > slap
> > > > on
> > > > > the
> > > > > > > > wrist to show you how NOT to configure VACLs :)
> > > > > > > >
> > > > > > > > Normal ACL filtering dictates that you permit only what
> you
> > > > > > > > want, and deny everything else. When using VACLs, you
> > should
> > > > deny
> > > > > > > what
> > > > > > > > you don't want, and permit everything else. Otherwise
you
> > > tend
> > > > to
> > > > > > > > forget all the necessary layer 2 protocols that are
> keeping
> > > the
> > > > > > > network
> > > > > > > > alive.
> > > > > > > >
> > > > > > > >
> > > > > > > > HTH,
> > > > > > > >
> > > > > > > > Brian McGahan, CCIE #8593
> > > > > > > > bmcgahan@internetworkexpert.com
> > > > > > > >
> > > > > > > > Internetwork Expert, Inc.
> > > > > > > > http://www.InternetworkExpert.com
> > > > > > > > Toll Free: 877-224-8987 x 705
> > > > > > > > Outside US: 775-826-4344 x 705
> > > > > > > > 24/7 Support: http://forum.internetworkexpert.com
> > > > > > > > Live Chat: http://www.internetworkexpert.com/chat/
> > > > > > > >
> > > > > > > >
> > > > > > > > > -----Original Message-----
> > > > > > > > > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]
> > > On
> > > > > Behalf
> > > > > > > > Of
> > > > > > > > > ccie2be
> > > > > > > > > Sent: Tuesday, August 10, 2004 10:38 AM
> > > > > > > > > To: Group Study
> > > > > > > > > Subject: vlan-map filters
> > > > > > > > >
> > > > > > > > > Hi guys,
> > > > > > > > >
> > > > > > > > > From IE lab 11, task 1.16 and 1.17
> > > > > > > > >
> > > > > > > > > Problem:
> > > > > > > > >
> > > > > > > > > Allow only ip traffic on vlan 56, however, if other
> behind
> > > the
> > > > > > > scenes
> > > > > > > > > traffic
> > > > > > > > > is NOT allowed, there'll be big trouble in Cisco lab
> city.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Solution:
> > > > > > > > >
> > > > > > > > > ip access-list extended IPONLY
> > > > > > > > > permit ip any any
> > > > > > > > > !
> > > > > > > > > mac access-list extended IP_ARP
> > > > > > > > > permit any any 0x806 0x0 < --- Can
this
> > > found
> > > > on
> > > > > Doc
> > > > > > > > CD?
> > > > > > > > >
> > > > > > > > > mac access-list extended IS-IS
> > > > > > > > > permit any any lsap 0xFEFE 0x0 < ---- Can this
> found
> > on
> > > > Doc
> > > > > CD?
> > > > > > > > >
> > > > > > > > > mac access-list extended IEEE-STP
> > > > > > > > > permit any any lsap 0x4242 0x0 < ---- Can this
> > found
> > > > on
> > > > > Doc
> > > > > > > > CD?
> > > > > > > > > !
> > > > > > > > > vlan access-map IPONLY 10
> > > > > > > > > action forward
> > > > > > > > > match ip address IPONLY
> > > > > > > > >
> > > > > > > > > vlan access-map IPONLY 20
> > > > > > > > > action forward
> > > > > > > > > match mac address IP_ARP
> > > > > > > > >
> > > > > > > > > vlan access-map IPONLY 30
> > > > > > > > > action forward
> > > > > > > > > match mac address IS-IS
> > > > > > > > >
> > > > > > > > > vlan access-map IPONLY 40
> > > > > > > > > action forward
> > > > > > > > > match mac address IEEE-STP
> > > > > > > > >
> > > > > > > > > vlan access-map IPONLY 50
> > > > > > > > > action drop
> > > > > > > > > vlan filter IPONLY vlan-list 56
> > > > > > > > >
> > > > > > > > > vlan filter IPONLY vlan-list 56
> > > > > > > > >
> > > > > > > > > Question: Does anybody know where on the Doc-CD the
> codes
> > > > used
> > > > > > > match
> > > > > > > > > these
> > > > > > > > > traffic types can be found? I've looked but came up
> > empty.
> > > > > > > > >
> > > > > > > > > Also, cdp traffic will be dropped by the above vlan
> > filter.
> > > > Is
> > > > > that
> > > > > > > a
> > > > > > > > > good
> > > > > > > > > idea?
> > > > > > > > >
> > > > > > > > > Thanks, Tim
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > >
> > > >
> > >
> >
>

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:42 GMT-3