RE: Deny ARP Catalyst - Potential Problem
From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Mon Jan 10 2005 - 11:51:13 GMT-3
> BTW, can you confirm that's there's no way filter arp with an ip acl?
ARP is not an IP protocol, so no.
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Monday, January 10, 2005 8:39 AM
> To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
> Subject: Re: Deny ARP Catalyst - Potential Problem
>
> Hi Al,
>
> I think I was thinking about this arp filtering the wrong way.
>
> My initial thinking was that if an arp requrest is being done to
resolve
>
> the mac address for an ip address, a mac acl couldn't be used because
>
> mac acl's applied to a L2 port on a 3550 don't work for ip traffic.
>
> But, now I think that logic is wrong because even though the arp is
for
> resolving an ip
>
> address, an arp packet isn't also an ip packet. Therefore, when a mac
acl
> is used to filter arp's
>
> on a 3550, the 3550 doesn't know that the arp request is for resolving
an
> ip
> address - assuming the
>
> 3550 doesn't look inside the arp packet. My assumption is that the
3550
> looks at the frame type
>
> field inside the ethernet header, sees that the frame is arp, 0x806,
and
> filters the frame.
>
> My guess is that if the frame type field of an ethernet frame is
0x800,
> ip,
> only then will a mac acl
>
> not work. Do you agree?
>
> I don't why the 3550 would work this way, but I'm going to try to
figure
> out
> how to test
>
> this theory. If I succeed, I'll let you know what I find.
>
> BTW, can you confirm that's there's no way filter arp with an ip acl?
>
> Thanks, Tim
>
>
> ----- Original Message -----
> From: <alsontra@hotmail.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; <alsontra@hotmail.com>; "'Elson
> Burrao'" <eburrao@yahoo.com>; <ccielab@groupstudy.com>
> Sent: Sunday, January 09, 2005 10:42 AM
> Subject: RE: Deny ARP Catalyst - Potential Problem
>
>
>
> Hi Tim,
>
> You are correct. As I understand it MAC access-lists on the 3550 on
affect
> non-ip traffic. I have the following sources:
>
> 1.3550 configuration guide:
>
> "With port ACLs, you can filter IP traffic by using IP access lists
and
> non-IP traffic by using MAC addresses. You can filter both IP and
non-IP
> traffic on the same Layer 2 interface by applying both an IP access
list
> and
> a MAC access list to the interface."
>
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550s
cg
> /s
> wacl.htm#wp1140852
>
> 2.Internetworkexperts Solution Guide.
>
> If I can paraphrase it, " MAC access-list only affect no IP traffic "
> Refer
> to Lab 12 task 1.14.
>
>
> 3. I've tried!!! :-) It don't work.
>
>
> The only way to stop IP by mac is to black hole it into a down/down
> interface with a static mac entry or VACL. (or at least that�s my
> understanding) i.g.
>
> mac-address-table static 1111.1111.1111 vlan 1 interface gi 0/1
> OR
> mac-address-table static 1444.9911.1200 vlan 1 drop
>
> Perhaps the ARP gods will chime in....
>
> HTH
> Al
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Sunday, January 09, 2005 7:08 PM
> To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
> Subject: Re: Deny ARP Catalyst - Potential Problem
>
> Al,
>
> That's incredible. But, let me make sure I understand you correctly.
>
> So, a mac acl which denies arp won't work for ip traffic if it's just
> applied to L2 port.
>
> But, that same mac acl when used as part of a VACL will work.
>
> Is that what you're saying?
>
> If that's true, it's a good thing we talked about this.
>
> Thanks, Tim
> ----- Original Message -----
> From: <alsontra@hotmail.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Elson Burrao'"
> <eburrao@yahoo.com>;
> <ccielab@groupstudy.com>
> Sent: Sunday, January 09, 2005 6:57 AM
> Subject: RE: Deny ARP Catalyst - Potential Problem
>
>
> Tim,
>
> I labbed this before I posted the VACL configuration, I had the same
MAC
> ACL
> epiphany. I believe what you're speaking of is in reference to
> mac-access-list applied to L2 switch ports. VACLs are benevolent! ;-)
>
>
> VACLs can filter Lsap, Ethertype, IP, etc. I'll send you the
configuration
> and verification if you like. Or better yet, you could try it
yourself.
> There are numerous caveats to the placement of MAC-ACL on the 3550.
>
> In particular:
>
> "You cannot apply an ACL to a Layer 2 interface on a switch if the
switch
> has an input Layer 3 ACL or a VLAN map applied to it. An error message
is
> generated if you attempt to do so. You can apply an ACL to a Layer 2
> interface if the switch has output Layer 3 ACLs applied.
>
> A Layer 2 interface can have only one MAC access list. If you apply a
MAC
> access list to a Layer 2 interface that has a MAC ACL configured, the
new
> ACL replaces the previously configured one. "
>
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550s
cg
> /s
> wacl.htm#wp1046692
>
> HTH
> Al
>
>
>
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Sunday, January 09, 2005 5:39 PM
> To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
> Subject: Re: Deny ARP Catalyst - Potential Problem
>
> Hey guys,
>
> This just occurred to me.
>
> According to the 3550 CG, mac acl's can't be used to filter ip
traffic,
> only non-ip
>
> traffic. That being the case, how would we filter arp's for ip
traffic on
> a
> 3550,
>
> assuming that's possible?
>
> TIA, Tim
> ----- Original Message -----
> From: <alsontra@hotmail.com>
> To: "'Elson Burrao'" <eburrao@yahoo.com>; <ccielab@groupstudy.com>
> Sent: Sunday, January 09, 2005 4:33 AM
> Subject: RE: Deny ARP Catalyst
>
>
> > VLAN ACCESS-MAP (VACL)
> >
> > 0050.3eef.6260 = arp challenged host ( or soon to be )
> >
> > 0x806 0x0 = IP_ARP
> >
> > mac access-list extended DENY_ARP
> > permit host 0050.3eef.6260 any 0x806 0x0
> > !
> > !
> > vlan access-map DENY_MAC 10
> > action drop
> > match mac address DENY_ARP
> > vlan access-map DENY_MAC 20
> > action forward
> > vlan filter DENY_MAC vlan-list 1
> >
> > .someone correct me if I've made a mistake..
> >
> >
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550s
cg
> /s
> > wacl.htm#wp1176911
> >
> > HTH
> > Al
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > Elson Burrao
> > Sent: Sunday, January 09, 2005 3:05 PM
> > To: ccielab@groupstudy.com
> > Subject: Deny ARP Catalyst
> >
> > Hello All,
> >
> > How can I deny arp requests from a specific host? On the 3560 I do
have
> "arp
> > access-list" command, but I couldn't find anything on the 3550.
> >
> > Any input will be very much appreciated
> >
> > Thanks
> >
> > E
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > The all-new My Yahoo! � Get yours free!
> >
> >
This archive was generated by hypermail 2.1.4
: Wed Feb 02 2005 - 22:10:21 GMT-3