Re: Deny ARP Catalyst - Potential Problem
From: Balaji Siva (bsivasub@gmail.com)
Date: Wed Jan 19 2005 - 01:19:35 GMT-3
if you feel the documenations is not clear, you should use the
feedback button on the top menu to send feedback. It would be looked
at.
this applies to any document with a feedback button on cisco.com
On Tue, 11 Jan 2005 08:35:31 -0600, alsontra@hotmail.com
<alsontra@hotmail.com> wrote:
> Tim,
> I think there maybe an error in your logic.
>
> >an arp packet isn't also an ip packet.
>
> I think not. IP ACL cannot identify ether-type. And the 3550 does not allow
> IP_ARP filtering on L2 ports with MAC-ACL. If you have the IE workbook check
> out the task that I previously mentioned. You might also reread the very
> cryptic, 3550 ACL guide. Every once in a while I wish Cisco would just
> state things more plainly.
>
> Al
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Monday, January 10, 2005 8:39 AM
> To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
> Subject: Re: Deny ARP Catalyst - Potential Problem
>
> Hi Al,
>
> I think I was thinking about this arp filtering the wrong way.
>
> My initial thinking was that if an arp requrest is being done to resolve
>
> the mac address for an ip address, a mac acl couldn't be used because
>
> mac acl's applied to a L2 port on a 3550 don't work for ip traffic.
>
> But, now I think that logic is wrong because even though the arp is for
> resolving an ip
>
> address, an arp packet isn't also an ip packet. Therefore, when a mac acl
> is used to filter arp's
>
> on a 3550, the 3550 doesn't know that the arp request is for resolving an ip
> address - assuming the
>
> 3550 doesn't look inside the arp packet. My assumption is that the 3550
> looks at the frame type
>
> field inside the ethernet header, sees that the frame is arp, 0x806, and
> filters the frame.
>
> My guess is that if the frame type field of an ethernet frame is 0x800, ip,
> only then will a mac acl
>
> not work. Do you agree?
>
> I don't why the 3550 would work this way, but I'm going to try to figure out
> how to test
>
> this theory. If I succeed, I'll let you know what I find.
>
> BTW, can you confirm that's there's no way filter arp with an ip acl?
>
> Thanks, Tim
>
> ----- Original Message -----
> From: <alsontra@hotmail.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; <alsontra@hotmail.com>; "'Elson
> Burrao'" <eburrao@yahoo.com>; <ccielab@groupstudy.com>
> Sent: Sunday, January 09, 2005 10:42 AM
> Subject: RE: Deny ARP Catalyst - Potential Problem
>
> Hi Tim,
>
> You are correct. As I understand it MAC access-lists on the 3550 on affect
> non-ip traffic. I have the following sources:
>
> 1.3550 configuration guide:
>
> "With port ACLs, you can filter IP traffic by using IP access lists and
> non-IP traffic by using MAC addresses. You can filter both IP and non-IP
> traffic on the same Layer 2 interface by applying both an IP access list and
> a MAC access list to the interface."
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
> wacl.htm#wp1140852
>
> 2.Internetworkexperts Solution Guide.
>
> If I can paraphrase it, " MAC access-list only affect no IP traffic " Refer
> to Lab 12 task 1.14.
>
> 3. I've tried!!! :-) It don't work.
>
> The only way to stop IP by mac is to black hole it into a down/down
> interface with a static mac entry or VACL. (or at least that�s my
> understanding) i.g.
>
> mac-address-table static 1111.1111.1111 vlan 1 interface gi 0/1
> OR
> mac-address-table static 1444.9911.1200 vlan 1 drop
>
> Perhaps the ARP gods will chime in....
>
> HTH
> Al
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Sunday, January 09, 2005 7:08 PM
> To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
> Subject: Re: Deny ARP Catalyst - Potential Problem
>
> Al,
>
> That's incredible. But, let me make sure I understand you correctly.
>
> So, a mac acl which denies arp won't work for ip traffic if it's just
> applied to L2 port.
>
> But, that same mac acl when used as part of a VACL will work.
>
> Is that what you're saying?
>
> If that's true, it's a good thing we talked about this.
>
> Thanks, Tim
> ----- Original Message -----
> From: <alsontra@hotmail.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Elson Burrao'" <eburrao@yahoo.com>;
> <ccielab@groupstudy.com>
> Sent: Sunday, January 09, 2005 6:57 AM
> Subject: RE: Deny ARP Catalyst - Potential Problem
>
> Tim,
>
> I labbed this before I posted the VACL configuration, I had the same MAC ACL
> epiphany. I believe what you're speaking of is in reference to
> mac-access-list applied to L2 switch ports. VACLs are benevolent! ;-)
>
> VACLs can filter Lsap, Ethertype, IP, etc. I'll send you the configuration
> and verification if you like. Or better yet, you could try it yourself.
> There are numerous caveats to the placement of MAC-ACL on the 3550.
>
> In particular:
>
> "You cannot apply an ACL to a Layer 2 interface on a switch if the switch
> has an input Layer 3 ACL or a VLAN map applied to it. An error message is
> generated if you attempt to do so. You can apply an ACL to a Layer 2
> interface if the switch has output Layer 3 ACLs applied.
>
> A Layer 2 interface can have only one MAC access list. If you apply a MAC
> access list to a Layer 2 interface that has a MAC ACL configured, the new
> ACL replaces the previously configured one. "
>
> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
> wacl.htm#wp1046692
>
> HTH
> Al
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Sunday, January 09, 2005 5:39 PM
> To: alsontra@hotmail.com; 'Elson Burrao'; ccielab@groupstudy.com
> Subject: Re: Deny ARP Catalyst - Potential Problem
>
> Hey guys,
>
> This just occurred to me.
>
> According to the 3550 CG, mac acl's can't be used to filter ip traffic,
> only non-ip
>
> traffic. That being the case, how would we filter arp's for ip traffic on a
> 3550,
>
> assuming that's possible?
>
> TIA, Tim
> ----- Original Message -----
> From: <alsontra@hotmail.com>
> To: "'Elson Burrao'" <eburrao@yahoo.com>; <ccielab@groupstudy.com>
> Sent: Sunday, January 09, 2005 4:33 AM
> Subject: RE: Deny ARP Catalyst
>
> > VLAN ACCESS-MAP (VACL)
> >
> > 0050.3eef.6260 = arp challenged host ( or soon to be )
> >
> > 0x806 0x0 = IP_ARP
> >
> > mac access-list extended DENY_ARP
> > permit host 0050.3eef.6260 any 0x806 0x0
> > !
> > !
> > vlan access-map DENY_MAC 10
> > action drop
> > match mac address DENY_ARP
> > vlan access-map DENY_MAC 20
> > action forward
> > vlan filter DENY_MAC vlan-list 1
> >
> > .someone correct me if I've made a mistake..
> >
> >
> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12120ea2/3550scg/s
> > wacl.htm#wp1176911
> >
> > HTH
> > Al
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Elson Burrao
> > Sent: Sunday, January 09, 2005 3:05 PM
> > To: ccielab@groupstudy.com
> > Subject: Deny ARP Catalyst
> >
> > Hello All,
> >
> > How can I deny arp requests from a specific host? On the 3560 I do have
> "arp
> > access-list" command, but I couldn't find anything on the 3550.
> >
> > Any input will be very much appreciated
> >
> > Thanks
> >
> > E
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > The all-new My Yahoo! � Get yours free!
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.725 / Virus Database: 480 - Release Date: 7/19/2004
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4
: Wed Feb 02 2005 - 22:10:24 GMT-3