RE: mac-address access-list extended - FILTER IP

From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Mon Dec 12 2005 - 16:19:58 GMT-3

• Next message: Vincent Mashburn: "RE: Cisco Launches Pre-Lab Assessment for CCIE Certification"
• Previous message: Zamberlan, Diego: "RE: CCIE R&S Lab HW/SW Change"
• Maybe in reply to: Gustavo Novais: "mac-address access-list extended - FILTER IP"
• Next in thread: Brian Dennis: "RE: mac-address access-list extended - FILTER IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello

Although the option for 0x800 is not there explicitly, but you might
configure it your self.

The tests that I've done show that, even configuring it, the IP packets
are ignored by this ACL.
Nevertheless the ARP packets are not... so proceed with caution.
 

Gustavo Novais

-----Original Message-----
From: san [mailto:san.study@gmail.com]
Sent: segunda-feira, 12 de Dezembro de 2005 19:15
To: Gustavo Novais
Subject: Re: mac-address access-list extended - FILTER IP

Mac accesslist options does not have ethertype 0x800 (IP)...see the
below... But let me know, if it works.

{deny | permit} {any | host source MAC address | source MAC address
mask} {any | host destination MAC address | destination MAC address
mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning |
decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat |
lavc-sca | mop-console | mop-dump | msdos | mumps | netbios |
vines-echo |vines-ip | xns-idp | 0-65535] [cos cos]

/SAN

On 12/12/05, Gustavo Novais <gustavo.novais@novabase.pt> wrote:
> Hi,
>
> One doubt concerning mac-address ACL on 3550.
>
>
>
> According to
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550s
> cg/swacl.htm#wp1177176
>
>
>
> You can filter non-IP traffic on a VLAN and on a physical Layer 2
> interface by using MAC addresses and named MAC extended ACLs. The
> procedure is similar to that of configuring other extended named ACLs.
>
>
>
> What if you define on the mac-access-list that you wish to deny
> ethertype 0x800 (IP).?
>
>
>
> My doubt rises from the previous email I've sent concerning a vlan map
> on which you had to allow "useful protocols", and the solution guide
> used an IP access-list on one vlan access-map statement to allow IP
and
> a mac access-list to allow the remaining layer 2 protocols.
>
>
>
> I'll lab it up, but I'm interested on any contributions
>
>
>
>
>
> TIA
>
> Gustavo Novais
>
>

• Next message: Vincent Mashburn: "RE: Cisco Launches Pre-Lab Assessment for CCIE Certification"
• Previous message: Zamberlan, Diego: "RE: CCIE R&S Lab HW/SW Change"
• Maybe in reply to: Gustavo Novais: "mac-address access-list extended - FILTER IP"
• Next in thread: Brian Dennis: "RE: mac-address access-list extended - FILTER IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3