Re: Deny ARP Catalyst - Potential Problem

From: ccie2be (ccie2be@nyc.rr.com)
Date: Mon Jan 10 2005 - 11:38:44 GMT-3

• Next message: Brian McGahan: "RE: Deny ARP Catalyst - Potential Problem"
• Previous message: Brian McGahan: "RE: IEWB Lab 2 Task 9.10 [More arp frame-relay]"
• Maybe in reply to: ccie2be: "Re: Deny ARP Catalyst - Potential Problem"
• Next in thread: Balaji Siva: "Re: Deny ARP Catalyst - Potential Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Al,

I think I was thinking about this arp filtering the wrong way.

My initial thinking was that if an arp requrest is being done to resolve

the mac address for an ip address, a mac acl couldn't be used because

mac acl's applied to a L2 port on a 3550 don't work for ip traffic.

But, now I think that logic is wrong because even though the arp is for
resolving an ip

address, an arp packet isn't also an ip packet. Therefore, when a mac acl
is used to filter arp's

on a 3550, the 3550 doesn't know that the arp request is for resolving an ip
address - assuming the

3550 doesn't look inside the arp packet. My assumption is that the 3550
looks at the frame type

field inside the ethernet header, sees that the frame is arp, 0x806, and
filters the frame.

My guess is that if the frame type field of an ethernet frame is 0x800, ip,
only then will a mac acl

not work. Do you agree?

I don't why the 3550 would work this way, but I'm going to try to figure out
how to test

this theory. If I succeed, I'll let you know what I find.

BTW, can you confirm that's there's no way filter arp with an ip acl?

Thanks, Tim

----- Original Message -----
From: <alsontra@hotmail.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; <alsontra@hotmail.com>; "'Elson
Burrao'" <eburrao@yahoo.com>; <ccielab@groupstudy.com>
Sent: Sunday, January 09, 2005 10:42 AM
Subject: RE: Deny ARP Catalyst - Potential Problem

Hi Tim,

You are correct. As I understand it MAC access-lists on the 3550 on affect
non-ip traffic. I have the following sources:

1.3550 configuration guide:

"With port ACLs, you can filter IP traffic by using IP access lists and
non-IP traffic by using MAC addresses. You can filter both IP and non-IP
traffic on the same Layer 2 interface by applying both an IP access list and
a MAC access list to the interface."

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
wacl.htm#wp1140852

2.Internetworkexperts Solution Guide.

If I can paraphrase it, " MAC access-list only affect no IP traffic " Refer
to Lab 12 task 1.14.

3. I've tried!!! :-) It don't work.

The only way to stop IP by mac is to black hole it into a down/down
interface with a static mac entry or VACL. (or at least thats my
understanding) i.g.

mac-address-table static 1111.1111.1111 vlan 1 interface gi 0/1
OR
mac-address-table static 1444.9911.1200 vlan 1 drop

Perhaps the ARP gods will chime in....

HTH
Al

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Sunday, January 09, 2005 7:08 PM
To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
Subject: Re: Deny ARP Catalyst - Potential Problem

Al,

That's incredible. But, let me make sure I understand you correctly.

So, a mac acl which denies arp won't work for ip traffic if it's just
applied to L2 port.

But, that same mac acl when used as part of a VACL will work.

Is that what you're saying?

If that's true, it's a good thing we talked about this.

Thanks, Tim
----- Original Message -----
From: <alsontra@hotmail.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Elson Burrao'" <eburrao@yahoo.com>;
<ccielab@groupstudy.com>
Sent: Sunday, January 09, 2005 6:57 AM
Subject: RE: Deny ARP Catalyst - Potential Problem

Tim,

I labbed this before I posted the VACL configuration, I had the same MAC ACL
epiphany. I believe what you're speaking of is in reference to
mac-access-list applied to L2 switch ports. VACLs are benevolent! ;-)

VACLs can filter Lsap, Ethertype, IP, etc. I'll send you the configuration
and verification if you like. Or better yet, you could try it yourself.
There are numerous caveats to the placement of MAC-ACL on the 3550.

In particular:

"You cannot apply an ACL to a Layer 2 interface on a switch if the switch
has an input Layer 3 ACL or a VLAN map applied to it. An error message is
generated if you attempt to do so. You can apply an ACL to a Layer 2
interface if the switch has output Layer 3 ACLs applied.

A Layer 2 interface can have only one MAC access list. If you apply a MAC
access list to a Layer 2 interface that has a MAC ACL configured, the new
ACL replaces the previously configured one. "

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
wacl.htm#wp1046692

HTH
Al

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Sunday, January 09, 2005 5:39 PM
To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
Subject: Re: Deny ARP Catalyst - Potential Problem

Hey guys,

This just occurred to me.

According to the 3550 CG, mac acl's can't be used to filter ip traffic,
only non-ip

traffic. That being the case, how would we filter arp's for ip traffic on a
3550,

assuming that's possible?

TIA, Tim
----- Original Message -----
From: <alsontra@hotmail.com>
To: "'Elson Burrao'" <eburrao@yahoo.com>; <ccielab@groupstudy.com>
Sent: Sunday, January 09, 2005 4:33 AM
Subject: RE: Deny ARP Catalyst

> VLAN ACCESS-MAP (VACL)
>
> 0050.3eef.6260 = arp challenged host ( or soon to be )
>
> 0x806 0x0 = IP_ARP
>
> mac access-list extended DENY_ARP
> permit host 0050.3eef.6260 any 0x806 0x0
> !
> !
> vlan access-map DENY_MAC 10
> action drop
> match mac address DENY_ARP
> vlan access-map DENY_MAC 20
> action forward
> vlan filter DENY_MAC vlan-list 1
>
> .someone correct me if I've made a mistake..
>
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
> wacl.htm#wp1176911
>
> HTH
> Al
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Elson Burrao
> Sent: Sunday, January 09, 2005 3:05 PM
> To: ccielab@groupstudy.com
> Subject: Deny ARP Catalyst
>
> Hello All,
>
> How can I deny arp requests from a specific host? On the 3560 I do have
"arp
> access-list" command, but I couldn't find anything on the 3550.
>
> Any input will be very much appreciated
>
> Thanks
>
> E
>
>
> ---------------------------------
> Do you Yahoo!?
> The all-new My Yahoo!  Get yours free!
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004

• Next message: Brian McGahan: "RE: Deny ARP Catalyst - Potential Problem"
• Previous message: Brian McGahan: "RE: IEWB Lab 2 Task 9.10 [More arp frame-relay]"
• Maybe in reply to: ccie2be: "Re: Deny ARP Catalyst - Potential Problem"
• Next in thread: Balaji Siva: "Re: Deny ARP Catalyst - Potential Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:21 GMT-3