From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Fri Nov 17 2006 - 15:57:11 ART
Access-list 1100 is used for legacy bridging filtering such as
this:
http://www.cisco.com/en/US/tech/tk331/tk660/technologies_tech_note09186a
008009403e.shtml. If you wanted to configure a switchport to allow only
a single mac-address and IP address pair configure port-security with a
static mac-address and configure an IP access-list that permits traffic
from only one source and apply it to the interface. This is assuming
that you are applying the configuration on the host facing interface and
not somewhere in the layer 2 or layer 3 transit path.
HTH,
Brian McGahan, CCIE #8593 (R&S/SP)
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Ivan
> Sent: Friday, November 17, 2006 10:08 AM
> To: alexeim@orcsoftware.com
> Cc: Cisco certification
> Subject: Re: packet matching ..........
>
> No !
>
> Packet must be matched IP AND MAC.
> For example:
> HOST A
> IP: 1.1.1.1
> MAC: 1.1.1
> HOST B
> IP: 2.2.2.2
> MAC: 2.2.2
>
> acess-list 100 permit host 1.1.1.1 any
> acess-list 100 permit host 2.2.2.2 any
> access-list 1100 permit 1.1.1 0000.0000.0000 0.0.0 ffff.ffff.ffff
> access-list 1100 permit 2.2.2 0000.0000.0000 0.0.0 ffff.ffff.ffff
>
> in such config HOST A can have MAC 2.2.2
>
>
> May be something like that ?????
>
> Giga-LPI(config)#class-map match-all CLASS
> Giga-LPI(config-cmap)#match access-group 100
> Giga-LPI(config-cmap)#match access-group 1100
> Giga-LPI(config-cmap)#policy-map POL
> Giga-LPI(config-pmap)#class CLASS
> Giga-LPI(config-pmap-c)#rat
> Giga-LPI(config-pmap-c)#pol
> Giga-LPI(config-pmap-c)#police 8000 8000 exc
> Giga-LPI(config-pmap-c)#police 8000 8000 exceed-action dro
> Giga-LPI(config-pmap-c)#police 8000 8000 exceed-action drop
> Giga-LPI(config-pmap-c)#
> 01:18:31: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported
in
> classmap CLASS
>
>
>
> On Friday 17 November 2006 18:53, Alexei Monastyrnyi wrote:
> > should this work?
> >
> > SW1(config-cmap)#do sh run | in class|100|1100
> > class-map match-all test
> > match access-group 100
> > match access-group 1100
> > access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
> > access-list 1100 permit aaaa.aaaa.aaaa 0000.0000.0000 bbbb.bbbb.bbbb
> > 0000.0000.0000
> >
> > SW1(config)#mac acc
> > SW1(config)#mac access-list ?
> > extended Extended Access List
> >
> > SW1(config)#access-list ?
> > <1-99> IP standard access list
> > <100-199> IP extended access list
> > _* <1100-1199> Extended 48-bit MAC address access list*_
> > <1300-1999> IP standard access list (expanded range)
> > <200-299> Protocol type-code access list
> > <2000-2699> IP extended access list (expanded range)
> > <700-799> 48-bit MAC address access list
> > dynamic-extended Extend the dynamic ACL absolute timer
> > rate-limit Simple rate-limit specific access list
> >
> > Ivan wrote:
> > > Hello !
> > >
> > > Quick question and short answer.
> > > In production network there is necessity to permit (in|out) packet
> ONLY
> > > if they match IP and MAC address. Can this be achieved with
> Catalyst3550
> > > / Catalyst3750 ?
> > >
> > > To my knowledge mac-ACL match only non-IP traffic. If so, the
previous
> > > requirement is not possible.
>
> --
> Ivan
>
>
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:47 ART