From: Venkatesh Venkatesh (kvpalani@gmail.com)
Date: Fri Nov 17 2006 - 15:10:34 ART
sorry dint read complete Email ...
The class map with match all and matching both the IP and MAC will work
- Venkatesh
On 11/17/06, Ivan <ivan@iip.net> wrote:
>
> In such way i see two problem.
> 1) problem desribed to Alexey
> 2) mac acl don't match IP-traffic
>
> On Friday 17 November 2006 20:33, Venkatesh Venkatesh wrote:
> > how abt using vlan filter something like below ?
> >
> > vlan access-map test 1
> > action forward
> > match mac address mac-list
> > match ip address 10
> >
> >
> > - Venkatesh
> >
> > On 11/17/06, Ivan <ivan@iip.net> wrote:
> > > No !
> > >
> > > Packet must be matched IP AND MAC.
> > > For example:
> > > HOST A
> > > IP: 1.1.1.1
> > > MAC: 1.1.1
> > > HOST B
> > > IP: 2.2.2.2
> > > MAC: 2.2.2
> > >
> > > acess-list 100 permit host 1.1.1.1 any
> > > acess-list 100 permit host 2.2.2.2 any
> > > access-list 1100 permit 1.1.1 0000.0000.0000 0.0.0 ffff.ffff.ffff
> > > access-list 1100 permit 2.2.2 0000.0000.0000 0.0.0 ffff.ffff.ffff
> > >
> > > in such config HOST A can have MAC 2.2.2
> > >
> > >
> > > May be something like that ?????
> > >
> > > Giga-LPI(config)#class-map match-all CLASS
> > > Giga-LPI(config-cmap)#match access-group 100
> > > Giga-LPI(config-cmap)#match access-group 1100
> > > Giga-LPI(config-cmap)#policy-map POL
> > > Giga-LPI(config-pmap)#class CLASS
> > > Giga-LPI(config-pmap-c)#rat
> > > Giga-LPI(config-pmap-c)#pol
> > > Giga-LPI(config-pmap-c)#police 8000 8000 exc
> > > Giga-LPI(config-pmap-c)#police 8000 8000 exceed-action dro
> > > Giga-LPI(config-pmap-c)#police 8000 8000 exceed-action drop
> > > Giga-LPI(config-pmap-c)#
> > > 01:18:31: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported
> in
> > > classmap CLASS
> > >
> > > On Friday 17 November 2006 18:53, Alexei Monastyrnyi wrote:
> > > > should this work?
> > > >
> > > > SW1(config-cmap)#do sh run | in class|100|1100
> > > > class-map match-all test
> > > > match access-group 100
> > > > match access-group 1100
> > > > access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
> > > > access-list 1100 permit aaaa.aaaa.aaaa 0000.0000.0000 bbbb.bbbb.bbbb
> > > > 0000.0000.0000
> > > >
> > > > SW1(config)#mac acc
> > > > SW1(config)#mac access-list ?
> > > > extended Extended Access List
> > > >
> > > > SW1(config)#access-list ?
> > > > <1-99> IP standard access list
> > > > <100-199> IP extended access list
> > > > _* <1100-1199> Extended 48-bit MAC address access list*_
> > > > <1300-1999> IP standard access list (expanded range)
> > > > <200-299> Protocol type-code access list
> > > > <2000-2699> IP extended access list (expanded range)
> > > > <700-799> 48-bit MAC address access list
> > > > dynamic-extended Extend the dynamic ACL absolute timer
> > > > rate-limit Simple rate-limit specific access list
> > > >
> > > > Ivan wrote:
> > > > > Hello !
> > > > >
> > > > > Quick question and short answer.
> > > > > In production network there is necessity to permit (in|out) packet
> > >
> > > ONLY
> > >
> > > > > if they match IP and MAC address. Can this be achieved with
> > >
> > > Catalyst3550
> > >
> > > > > / Catalyst3750 ?
> > > > >
> > > > > To my knowledge mac-ACL match only non-IP traffic. If so, the
> > > > > previous requirement is not possible.
> > >
> > > --
> > > Ivan
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> --
> Ivan
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:47 ART