RE: Deny ARP Catalyst - Potential Problem

From: alsontra@hotmail.com
Date: Sun Jan 09 2005 - 12:42:58 GMT-3

Hi Tim,

You are correct. As I understand it MAC access-lists on the 3550 on affect
non-ip traffic. I have the following sources:

1.3550 configuration guide:

"With port ACLs, you can filter IP traffic by using IP access lists and
non-IP traffic by using MAC addresses. You can filter both IP and non-IP
traffic on the same Layer 2 interface by applying both an IP access list and
a MAC access list to the interface."

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
wacl.htm#wp1140852

2.Internetworkexperts Solution Guide.

If I can paraphrase it, " MAC access-list only affect no IP traffic " Refer
to Lab 12 task 1.14.

3. I've tried!!! :-) It don't work.

The only way to stop IP by mac is to black hole it into a down/down
interface with a static mac entry or VACL. (or at least thats my
understanding) i.g.

mac-address-table static 1111.1111.1111 vlan 1 interface gi 0/1
OR
mac-address-table static 1444.9911.1200 vlan 1 drop

Perhaps the ARP gods will chime in....

HTH
Al

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Sunday, January 09, 2005 7:08 PM
To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
Subject: Re: Deny ARP Catalyst - Potential Problem

Al,

That's incredible. But, let me make sure I understand you correctly.

So, a mac acl which denies arp won't work for ip traffic if it's just
applied to L2 port.

But, that same mac acl when used as part of a VACL will work.

Is that what you're saying?

If that's true, it's a good thing we talked about this.

Thanks, Tim
----- Original Message -----
From: <alsontra@hotmail.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Elson Burrao'" <eburrao@yahoo.com>;
<ccielab@groupstudy.com>
Sent: Sunday, January 09, 2005 6:57 AM
Subject: RE: Deny ARP Catalyst - Potential Problem

Tim,

I labbed this before I posted the VACL configuration, I had the same MAC ACL
epiphany. I believe what you're speaking of is in reference to
mac-access-list applied to L2 switch ports. VACLs are benevolent! ;-)

VACLs can filter Lsap, Ethertype, IP, etc. I'll send you the configuration
and verification if you like. Or better yet, you could try it yourself.
There are numerous caveats to the placement of MAC-ACL on the 3550.

In particular:

"You cannot apply an ACL to a Layer 2 interface on a switch if the switch
has an input Layer 3 ACL or a VLAN map applied to it. An error message is
generated if you attempt to do so. You can apply an ACL to a Layer 2
interface if the switch has output Layer 3 ACLs applied.

A Layer 2 interface can have only one MAC access list. If you apply a MAC
access list to a Layer 2 interface that has a MAC ACL configured, the new
ACL replaces the previously configured one. "

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
wacl.htm#wp1046692

HTH
Al

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Sunday, January 09, 2005 5:39 PM
To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
Subject: Re: Deny ARP Catalyst - Potential Problem

Hey guys,

This just occurred to me.

According to the 3550 CG, mac acl's can't be used to filter ip traffic,
only non-ip

traffic. That being the case, how would we filter arp's for ip traffic on a
3550,

assuming that's possible?

TIA, Tim
----- Original Message -----
From: <alsontra@hotmail.com>
To: "'Elson Burrao'" <eburrao@yahoo.com>; <ccielab@groupstudy.com>
Sent: Sunday, January 09, 2005 4:33 AM
Subject: RE: Deny ARP Catalyst

> VLAN ACCESS-MAP (VACL)
>
> 0050.3eef.6260 = arp challenged host ( or soon to be )
>
> 0x806 0x0 = IP_ARP
>
> mac access-list extended DENY_ARP
> permit host 0050.3eef.6260 any 0x806 0x0
> !
> !
> vlan access-map DENY_MAC 10
> action drop
> match mac address DENY_ARP
> vlan access-map DENY_MAC 20
> action forward
> vlan filter DENY_MAC vlan-list 1
>
> .someone correct me if I've made a mistake..
>
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
> wacl.htm#wp1176911
>
> HTH
> Al
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Elson Burrao
> Sent: Sunday, January 09, 2005 3:05 PM
> To: ccielab@groupstudy.com
> Subject: Deny ARP Catalyst
>
> Hello All,
>
> How can I deny arp requests from a specific host? On the 3560 I do have
"arp
> access-list" command, but I couldn't find anything on the 3550.
>
> Any input will be very much appreciated
>
> Thanks
>
> E
>
>
> ---------------------------------
> Do you Yahoo!?
> The all-new My Yahoo!  Get yours free!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html 

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004

This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:21 GMT-3