Re: Deny ARP Catalyst - Potential Problem

From: ccie2be (ccie2be@nyc.rr.com)
Date: Sun Jan 09 2005 - 22:07:39 GMT-3

• Next message: Balaji Siva: "Re: curious..."
• Previous message: Daniel Ginsburg: "Re: Lab Taking Strategies - Saving Configs"
• Maybe in reply to: ccie2be: "Re: Deny ARP Catalyst - Potential Problem"
• Next in thread: ccie2be: "Re: Deny ARP Catalyst - Potential Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Al,

That's incredible. But, let me make sure I understand you correctly.

So, a mac acl which denies arp won't work for ip traffic if it's just
applied to L2 port.

But, that same mac acl when used as part of a VACL will work.

Is that what you're saying?

If that's true, it's a good thing we talked about this.

Thanks, Tim
----- Original Message -----
From: <alsontra@hotmail.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Elson Burrao'" <eburrao@yahoo.com>;
<ccielab@groupstudy.com>
Sent: Sunday, January 09, 2005 6:57 AM
Subject: RE: Deny ARP Catalyst - Potential Problem

Tim,

I labbed this before I posted the VACL configuration, I had the same MAC ACL
epiphany. I believe what you're speaking of is in reference to
mac-access-list applied to L2 switch ports. VACLs are benevolent! ;-)

VACLs can filter Lsap, Ethertype, IP, etc. I'll send you the configuration
and verification if you like. Or better yet, you could try it yourself.
There are numerous caveats to the placement of MAC-ACL on the 3550.

In particular:

"You cannot apply an ACL to a Layer 2 interface on a switch if the switch
has an input Layer 3 ACL or a VLAN map applied to it. An error message is
generated if you attempt to do so. You can apply an ACL to a Layer 2
interface if the switch has output Layer 3 ACLs applied.

A Layer 2 interface can have only one MAC access list. If you apply a MAC
access list to a Layer 2 interface that has a MAC ACL configured, the new
ACL replaces the previously configured one. "

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
wacl.htm#wp1046692

HTH
Al

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Sunday, January 09, 2005 5:39 PM
To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
Subject: Re: Deny ARP Catalyst - Potential Problem

Hey guys,

This just occurred to me.

According to the 3550 CG, mac acl's can't be used to filter ip traffic,
only non-ip

traffic. That being the case, how would we filter arp's for ip traffic on a
3550,

assuming that's possible?

TIA, Tim
----- Original Message -----
From: <alsontra@hotmail.com>
To: "'Elson Burrao'" <eburrao@yahoo.com>; <ccielab@groupstudy.com>
Sent: Sunday, January 09, 2005 4:33 AM
Subject: RE: Deny ARP Catalyst

> VLAN ACCESS-MAP (VACL)
>
> 0050.3eef.6260 = arp challenged host ( or soon to be )
>
> 0x806 0x0 = IP_ARP
>
> mac access-list extended DENY_ARP
> permit host 0050.3eef.6260 any 0x806 0x0
> !
> !
> vlan access-map DENY_MAC 10
> action drop
> match mac address DENY_ARP
> vlan access-map DENY_MAC 20
> action forward
> vlan filter DENY_MAC vlan-list 1
>
> .someone correct me if I've made a mistake..
>
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
> wacl.htm#wp1176911
>
> HTH
> Al
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Elson Burrao
> Sent: Sunday, January 09, 2005 3:05 PM
> To: ccielab@groupstudy.com
> Subject: Deny ARP Catalyst
>
> Hello All,
>
> How can I deny arp requests from a specific host? On the 3560 I do have
"arp
> access-list" command, but I couldn't find anything on the 3550.
>
> Any input will be very much appreciated
>
> Thanks
>
> E
>
>
> ---------------------------------
> Do you Yahoo!?
> The all-new My Yahoo!  Get yours free!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004

• Next message: Balaji Siva: "Re: curious..."
• Previous message: Daniel Ginsburg: "Re: Lab Taking Strategies - Saving Configs"
• Maybe in reply to: ccie2be: "Re: Deny ARP Catalyst - Potential Problem"
• Next in thread: ccie2be: "Re: Deny ARP Catalyst - Potential Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:21 GMT-3