Re: packet matching ..........

From: Alexei Monastyrnyi (alexeim@orcsoftware.com)
Date: Fri Nov 17 2006 - 17:14:40 ART

• Next message: Mark Rushby: "Re: Possible GOTCHA or MY ROUTERS HATE ME"
• Previous message: Troy F.: "Re: CCIE Recertification Question of the Week - NOV1706"
• Maybe in reply to: Ivan: "packet matching .........."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

why not?

just split up ACL 100 and ACL 1100 per host

acess-list 101 permit host 1.1.1.1 any
acess-list 102 permit host 2.2.2.2 any
access-list 1101 permit 1.1.1 0000.0000.0000 0.0.0 ffff.ffff.ffff
access-list 1102 permit 2.2.2 0000.0000.0000 0.0.0 ffff.ffff.ffff

Since class-map can do either AND or OR, we can have it like this

class-map _*match-all*_ host-A
  match access-group 101
  match access-group 1101

class-map _*match-all*_ host-B
  match access-group 102
  match access-group 1102

Ivan wrote:
> No !
>
> Packet must be matched IP AND MAC.
> For example:
> HOST A
> IP: 1.1.1.1
> MAC: 1.1.1
> HOST B
> IP: 2.2.2.2
> MAC: 2.2.2
>
> acess-list 100 permit host 1.1.1.1 any
> acess-list 100 permit host 2.2.2.2 any
> access-list 1100 permit 1.1.1 0000.0000.0000 0.0.0 ffff.ffff.ffff
> access-list 1100 permit 2.2.2 0000.0000.0000 0.0.0 ffff.ffff.ffff
>
> in such config HOST A can have MAC 2.2.2
>
>
> May be something like that ?????
>
> Giga-LPI(config)#class-map match-all CLASS
> Giga-LPI(config-cmap)#match access-group 100
> Giga-LPI(config-cmap)#match access-group 1100
> Giga-LPI(config-cmap)#policy-map POL
> Giga-LPI(config-pmap)#class CLASS
> Giga-LPI(config-pmap-c)#rat
> Giga-LPI(config-pmap-c)#pol
> Giga-LPI(config-pmap-c)#police 8000 8000 exc
> Giga-LPI(config-pmap-c)#police 8000 8000 exceed-action dro
> Giga-LPI(config-pmap-c)#police 8000 8000 exceed-action drop
> Giga-LPI(config-pmap-c)#
> 01:18:31: %QM-4-CLASS_NOT_SUPPORTED: Classification is not supported in
> classmap CLASS
>
>
>
> On Friday 17 November 2006 18:53, Alexei Monastyrnyi wrote:
>
>> should this work?
>>
>> SW1(config-cmap)#do sh run | in class|100|1100
>> class-map match-all test
>> match access-group 100
>> match access-group 1100
>> access-list 100 permit ip host 1.1.1.1 host 2.2.2.2
>> access-list 1100 permit aaaa.aaaa.aaaa 0000.0000.0000 bbbb.bbbb.bbbb
>> 0000.0000.0000
>>
>> SW1(config)#mac acc
>> SW1(config)#mac access-list ?
>> extended Extended Access List
>>
>> SW1(config)#access-list ?
>> <1-99> IP standard access list
>> <100-199> IP extended access list
>> _* <1100-1199> Extended 48-bit MAC address access list*_
>> <1300-1999> IP standard access list (expanded range)
>> <200-299> Protocol type-code access list
>> <2000-2699> IP extended access list (expanded range)
>> <700-799> 48-bit MAC address access list
>> dynamic-extended Extend the dynamic ACL absolute timer
>> rate-limit Simple rate-limit specific access list
>>
>> Ivan wrote:
>>
>>> Hello !
>>>
>>> Quick question and short answer.
>>> In production network there is necessity to permit (in|out) packet ONLY
>>> if they match IP and MAC address. Can this be achieved with Catalyst3550
>>> / Catalyst3750 ?
>>>
>>> To my knowledge mac-ACL match only non-IP traffic. If so, the previous
>>> requirement is not possible.

• Next message: Mark Rushby: "Re: Possible GOTCHA or MY ROUTERS HATE ME"
• Previous message: Troy F.: "Re: CCIE Recertification Question of the Week - NOV1706"
• Maybe in reply to: Ivan: "packet matching .........."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:47 ART