Re: packet matching ..........

From: Ivan (ivan@iip.net)
Date: Fri Nov 17 2006 - 13:07:47 ART

• Next message: John Moor: "Re: shaping vs policing real life"
• Previous message: Brian McGahan: "RE: Redistribution"
• Maybe in reply to: Ivan: "packet matching .........."
• Next in thread: Venkatesh Venkatesh: "Re: packet matching .........."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

No !

Packet must be matched IP AND MAC.
For example:
HOST A
  IP: 1.1.1.1
  MAC: 1.1.1
HOST B
  IP: 2.2.2.2
  MAC: 2.2.2

acess-list 100 permit host 1.1.1.1 any
acess-list 100 permit host 2.2.2.2 any
access-list 1100 permit 1.1.1 0000.0000.0000 0.0.0 ffff.ffff.ffff
access-list 1100 permit 2.2.2 0000.0000.0000 0.0.0 ffff.ffff.ffff

in such config HOST A can have MAC 2.2.2

May be something like that ?????

Giga-LPI(config)#class-map match-all CLASS
Giga-LPI(config-cmap)#match access-group 100
Giga-LPI(config-cmap)#match access-group 1100
Giga-LPI(config-cmap)#policy-map POL
Giga-LPI(config-pmap)#class CLASS
Giga-LPI(config-pmap-c)#rat
Giga-LPI(config-pmap-c)#pol
Giga-LPI(config-pmap-c)#police 8000 8000 exc
Giga-LPI(config-pmap-c)#police 8000 8000 exceed-action dro
Giga-LPI(config-pmap-c)#police 8000 8000 exceed-action drop
Giga-LPI(config-pmap-c)#
01:18:31: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported in
classmap CLASS

On Friday 17 November 2006 18:53, Alexei Monastyrnyi wrote:
> should this work?
>
> SW1(config-cmap)#do sh run | in class|100|1100
> class-map match-all test
> match access-group 100
> match access-group 1100
> access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
> access-list 1100 permit aaaa.aaaa.aaaa 0000.0000.0000 bbbb.bbbb.bbbb
> 0000.0000.0000
>
> SW1(config)#mac acc
> SW1(config)#mac access-list ?
> extended Extended Access List
>
> SW1(config)#access-list ?
> <1-99> IP standard access list
> <100-199> IP extended access list
> _* <1100-1199> Extended 48-bit MAC address access list*_
> <1300-1999> IP standard access list (expanded range)
> <200-299> Protocol type-code access list
> <2000-2699> IP extended access list (expanded range)
> <700-799> 48-bit MAC address access list
> dynamic-extended Extend the dynamic ACL absolute timer
> rate-limit Simple rate-limit specific access list
>
> Ivan wrote:
> > Hello !
> >
> > Quick question and short answer.
> > In production network there is necessity to permit (in|out) packet ONLY
> > if they match IP and MAC address. Can this be achieved with Catalyst3550
> > / Catalyst3750 ?
> >
> > To my knowledge mac-ACL match only non-IP traffic. If so, the previous
> > requirement is not possible.

-- 
Ivan

• Next message: John Moor: "Re: shaping vs policing real life"
• Previous message: Brian McGahan: "RE: Redistribution"
• Maybe in reply to: Ivan: "packet matching .........."
• Next in thread: Venkatesh Venkatesh: "Re: packet matching .........."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:47 ART