Block ARP on 3550

From: gladston@br.ibm.com
Date: Fri Sep 02 2005 - 10:44:21 GMT-3

• Next message: Guilherme Correia: "RE: CCIE LAB Locations"
• Previous message: Sergio Silva: "CCIE LAB Locations"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I think there is something not exactly correctly on this DOC:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Any comments appreciated.

Tests shows it does not work as stated. It says a filter like...

permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0

...would block communication between these two host. But it does not. And that is logical considering the statement on other Docs that says mac filter only filters non-ip packets. But that is not totaly right, too. Tests shows that "permit host 0000.0c14.b912 any 0x806 0x0" blocks the communication.

I have the impression that "permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0" would not work because the ARP request is sent to 0000.0000.0000, as showned here:

=======================================================================
Sep 2 06:22:27: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500
Sep 2 06:22:27: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500
Sep 2 06:22:27: IP ARP: rcvd rep src 148.5.15.1 0010.7bdb.7e40, dst 148.5.15.9 Ethernet0.500
Sep 2 06:22:27: IP ARP: rcvd rep src 148.5.15.1 0010.7bdb.7e40, dst 148.5.15.9 Ethernet0.500.!!!!
=======================================================================

Tests:

This blocks communication between router BB1 (0000.0c14.b912) and any other routers (R5 and R1)

mac access-list extended Block-mac
 permit host 0000.0c14.b912 any 0x806 0x0

bb1#pi 148.5.15.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 148.5.15.5, timeout is 2 seconds:

Sep 2 06:21:14: IP ARP: creating incomplete entry for IP address: 148.5.15.5 interface Ethernet0.500
Sep 2 06:21:14: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.5 0000.0000.0000 Ethernet0.500
Sep 2 06:21:14: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.5 0000.0000.0000 Ethernet0.500.
Sep 2 06:21:16: IP ARP throttled out the ARP Request for 148.5.15.5.
Sep 2 06:21:18: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.5 0000.0000.0000 Ethernet0.500
Sep 2 06:21:18: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.5 0000.0000.0000 Ethernet0.500.
Sep 2 06:21:20: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.5 0000.0000.0000 Ethernet0.500
Sep 2 06:21:20: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.5 0000.0000.0000 Ethernet0.500.
Sep 2 06:21:22: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.5 0000.0000.0000 Ethernet0.500
Sep 2 06:21:22: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.5 0000.0000.0000 Ethernet0.500.
Success rate is 0 percent (0/5)

bb1#pi 148.5.15.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 148.5.15.1, timeout is 2 seconds:

Sep 2 06:20:59: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500
Sep 2 06:20:59: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500.
Sep 2 06:21:01: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500
Sep 2 06:21:01: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500.
Sep 2 06:21:03: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500
Sep 2 06:21:03: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500.
Sep 2 06:21:05: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500
Sep 2 06:21:05: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500.
Sep 2 06:21:07: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500
Sep 2 06:21:07: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500.
Success rate is 0 percent (0/5)

But if specifying a destination MAC (R1), as the example shows, it does not block anything:

mac access-list extended Block-mac
no permit host 0000.0c14.b912 an 0x806 0x000
permit host 0000.0c14.b912 host 0010.7bdb.7e40 0x806 0x0

bb1#pi 148.5.15.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 148.5.15.1, timeout is 2 seconds:

Sep 2 06:22:27: IP ARP: creating incomplete entry for IP address: 148.5.15.1 interface Ethernet0.500
Sep 2 06:22:27: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500
Sep 2 06:22:27: IP ARP: sent req src 148.5.15.9 0000.0c14.b912,
                 dst 148.5.15.1 0000.0000.0000 Ethernet0.500
Sep 2 06:22:27: IP ARP: rcvd rep src 148.5.15.1 0010.7bdb.7e40, dst 148.5.15.9 Ethernet0.500
Sep 2 06:22:27: IP ARP: rcvd rep src 148.5.15.1 0010.7bdb.7e40, dst 148.5.15.9 Ethernet0.500.!!!!

This is the complete configuration:

mac access-list extended Block-mac
 permit host 0000.0c14.b912 host 0010.7bdb.7e40 0x806 0x0
!
vlan access-map Filter-based-on-mac 10
 action drop
 match mac address Block-mac
vlan access-map Filter-based-on-mac 20
 action forward
vlan filter Filter-based-on-mac vlan-list 60

• Next message: Guilherme Correia: "RE: CCIE LAB Locations"
• Previous message: Sergio Silva: "CCIE LAB Locations"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:13 GMT-3