From: CCIE 4 Me (ccie4me@inbox.lv)
Date: Mon Mar 20 2006 - 01:13:08 GMT-3
Brian,
Was this ever resolved? The IE provided solution in Vol 3 work book does not seem to work. At the back of my mind, I know that the CCIE Lab is not going to be this brutal.
Task 1.16
After numerous attempts to get the company's graphics department to migrate their Novell servers to IP, you have decided to congifure SW1 and SW2 to only allow IP traffic to transit Vlan 56.
Task 1.17 Use A ACL called IPONLY to accomplish this.
Answer key:
Task 1.16 - 1.17
R5 and R6:
ip access-list extended IPONLY
permit ip any any
!
mac access-list extended IP_ARP
permit any any 0x806 0x0
!
mac access-list exended IEEE_STP
permit any any lsap 0x4242 0x0
!
vlan access-map IPONLY 10
action forward
match ip address IPONLY
!
vlan access-map IPONLY 20
action forward
match mac address IP_ARP
!
vlan access-map IPONLY 30
action forward
match address IEEE_STP
!
vlan access-map IPONLY 40
drop
!
vlan filter IPONLY vlan-list 56
-------
Since the above solution did not work, was this ever resolved? I followed this thread in the IE forum and some of the post were as far back as 2003, no definate resolution was arrived at.
The only thing that seems to be working for me is:
mac access-list
permit any any 0x806 0x0
permit any host 0100.0ccc.cccd <PVST+ destination mac address>
ip access
permit any any
Since one is running PVST, lsap 0x4242 (802.1d) will not be needed but PVST+BPDU uses SNAP 0x10b?????
This archive was generated by hypermail 2.1.4 : Sat Apr 01 2006 - 10:07:39 GMT-3