RE: mac-address access-list extended - FILTER IP

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Mon Dec 12 2005 - 23:36:47 GMT-3

• Next message: Chacko, Raj: "IE Vol2, LAB3, OSPF (sec 5.1-3, 5.6-8)"
• Previous message: Paresh Khatri: "RE: ISIS - set-attached-bit and set-overload-bit"
• Maybe in reply to: Gustavo Novais: "mac-address access-list extended - FILTER IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That is because ARP uses a different Ethernet type code than IP. IP is
0x800 and ARP is 0x806.

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

 -----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Gustavo Novais
Sent: Monday, December 12, 2005 11:20 AM
To: san; ccielab@groupstudy.com
Subject: RE: mac-address access-list extended - FILTER IP

Hello

Although the option for 0x800 is not there explicitly, but you might
configure it your self.

The tests that I've done show that, even configuring it, the IP packets
are ignored by this ACL.
Nevertheless the ARP packets are not... so proceed with caution.
 

Gustavo Novais

-----Original Message-----
From: san [mailto:san.study@gmail.com]
Sent: segunda-feira, 12 de Dezembro de 2005 19:15
To: Gustavo Novais
Subject: Re: mac-address access-list extended - FILTER IP

Mac accesslist options does not have ethertype 0x800 (IP)...see the
below... But let me know, if it works.

{deny | permit} {any | host source MAC address | source MAC address
mask} {any | host destination MAC address | destination MAC address
mask} [type mask | lsap lsap mask | aarp | amber | dec-spanning |
decnet-iv | diagnostic | dsm | etype-6000 | etype-8042 | lat |
lavc-sca | mop-console | mop-dump | msdos | mumps | netbios |
vines-echo |vines-ip | xns-idp | 0-65535] [cos cos]

/SAN

On 12/12/05, Gustavo Novais <gustavo.novais@novabase.pt> wrote:
> Hi,
>
> One doubt concerning mac-address ACL on 3550.
>
>
>
> According to
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550s
> cg/swacl.htm#wp1177176
>
>
>
> You can filter non-IP traffic on a VLAN and on a physical Layer 2
> interface by using MAC addresses and named MAC extended ACLs. The
> procedure is similar to that of configuring other extended named ACLs.
>
>
>
> What if you define on the mac-access-list that you wish to deny
> ethertype 0x800 (IP).?
>
>
>
> My doubt rises from the previous email I've sent concerning a vlan map
> on which you had to allow "useful protocols", and the solution guide
> used an IP access-list on one vlan access-map statement to allow IP
and
> a mac access-list to allow the remaining layer 2 protocols.
>
>
>
> I'll lab it up, but I'm interested on any contributions
>
>
>
>
>
> TIA
>
> Gustavo Novais
>
>

• Next message: Chacko, Raj: "IE Vol2, LAB3, OSPF (sec 5.1-3, 5.6-8)"
• Previous message: Paresh Khatri: "RE: ISIS - set-attached-bit and set-overload-bit"
• Maybe in reply to: Gustavo Novais: "mac-address access-list extended - FILTER IP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:51 GMT-3