Re: packet matching ..........

From: Ivan (ivan@iip.net)
Date: Fri Nov 17 2006 - 16:31:26 ART

• Next message: SAVJANI, HITESH, WWCS: "RE: IP Event Dampening"
• Previous message: Ivan: "Re: Possible GOTCHA or MY ROUTERS HATE ME"
• Maybe in reply to: Ivan: "packet matching .........."
• Next in thread: Alexei Monastyrnyi: "Re: packet matching .........."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This is not host facing port. Some port facing to LAN and I need to use MAC-IP
checking for each host inside LAN. If only one host under the port it is not
problem.

On Friday 17 November 2006 21:57, Brian McGahan wrote:
> Access-list 1100 is used for legacy bridging filtering such as
> this:
> http://www.cisco.com/en/US/tech/tk331/tk660/technologies_tech_note09186a
> 008009403e.shtml. If you wanted to configure a switchport to allow only
> a single mac-address and IP address pair configure port-security with a
> static mac-address and configure an IP access-list that permits traffic
> from only one source and apply it to the interface. This is assuming
> that you are applying the configuration on the host facing interface and
> not somewhere in the layer 2 or layer 3 transit path.
>
>
> HTH,
>
> Brian McGahan, CCIE #8593 (R&S/SP)
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987 x 705
> Outside US: 775-826-4344 x 705
> 24/7 Support: http://forum.internetworkexpert.com
> Live Chat: http://www.internetworkexpert.com/chat/
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>
> Of
>
> > Ivan
> > Sent: Friday, November 17, 2006 10:08 AM
> > To: alexeim@orcsoftware.com
> > Cc: Cisco certification
> > Subject: Re: packet matching ..........
> >
> > No !
> >
> > Packet must be matched IP AND MAC.
> > For example:
> > HOST A
> > IP: 1.1.1.1
> > MAC: 1.1.1
> > HOST B
> > IP: 2.2.2.2
> > MAC: 2.2.2
> >
> > acess-list 100 permit host 1.1.1.1 any
> > acess-list 100 permit host 2.2.2.2 any
> > access-list 1100 permit 1.1.1 0000.0000.0000 0.0.0 ffff.ffff.ffff
> > access-list 1100 permit 2.2.2 0000.0000.0000 0.0.0 ffff.ffff.ffff
> >
> > in such config HOST A can have MAC 2.2.2
> >
> >
> > May be something like that ?????
> >
> > Giga-LPI(config)#class-map match-all CLASS
> > Giga-LPI(config-cmap)#match access-group 100
> > Giga-LPI(config-cmap)#match access-group 1100
> > Giga-LPI(config-cmap)#policy-map POL
> > Giga-LPI(config-pmap)#class CLASS
> > Giga-LPI(config-pmap-c)#rat
> > Giga-LPI(config-pmap-c)#pol
> > Giga-LPI(config-pmap-c)#police 8000 8000 exc
> > Giga-LPI(config-pmap-c)#police 8000 8000 exceed-action dro
> > Giga-LPI(config-pmap-c)#police 8000 8000 exceed-action drop
> > Giga-LPI(config-pmap-c)#
> > 01:18:31: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported
>
> in
>
> > classmap CLASS
> >
> > On Friday 17 November 2006 18:53, Alexei Monastyrnyi wrote:
> > > should this work?
> > >
> > > SW1(config-cmap)#do sh run | in class|100|1100
> > > class-map match-all test
> > > match access-group 100
> > > match access-group 1100
> > > access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
> > > access-list 1100 permit aaaa.aaaa.aaaa 0000.0000.0000 bbbb.bbbb.bbbb
> > > 0000.0000.0000
> > >
> > > SW1(config)#mac acc
> > > SW1(config)#mac access-list ?
> > > extended Extended Access List
> > >
> > > SW1(config)#access-list ?
> > > <1-99> IP standard access list
> > > <100-199> IP extended access list
> > > _* <1100-1199> Extended 48-bit MAC address access list*_
> > > <1300-1999> IP standard access list (expanded range)
> > > <200-299> Protocol type-code access list
> > > <2000-2699> IP extended access list (expanded range)
> > > <700-799> 48-bit MAC address access list
> > > dynamic-extended Extend the dynamic ACL absolute timer
> > > rate-limit Simple rate-limit specific access list
> > >
> > > Ivan wrote:
> > > > Hello !
> > > >
> > > > Quick question and short answer.
> > > > In production network there is necessity to permit (in|out) packet
> >
> > ONLY
> >
> > > > if they match IP and MAC address. Can this be achieved with
> >
> > Catalyst3550
> >
> > > > / Catalyst3750 ?
> > > >
> > > > To my knowledge mac-ACL match only non-IP traffic. If so, the
>
> previous
>
> > > > requirement is not possible.
> >
> > --
> > Ivan
>
> _______________________________________________________________________
>
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

-- 
Ivan

• Next message: SAVJANI, HITESH, WWCS: "RE: IP Event Dampening"
• Previous message: Ivan: "Re: Possible GOTCHA or MY ROUTERS HATE ME"
• Maybe in reply to: Ivan: "packet matching .........."
• Next in thread: Alexei Monastyrnyi: "Re: packet matching .........."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:47 ART