From: Simon Tee (teetengloong@gmail.com)
Date: Thu Nov 23 2006 - 14:04:37 ART
Hi Guys,
I did some testing with mac access-list and found something that I could not
get an explaination.
Here the scenario, my customer is a broadband provider, user will use pppoe
to dial up to the Internet.
We were using 3560 switches and would like to filter non-relevant frames at
the port level (e.g. APPLETALK, AARP, DECNET-IV).
I've created a mac access-list with the following entries:
mac access-list extended pppoe-mac
permit any any 0x806 0x0
permit any any 0x8863 0x0
permit any any 0x8864 0x0
We tried to perform a normal PING and everything went well, but later I
realized that I did not allow the normal IP ethertype (which is 0x0800) but
I am still able to PING through the switch to another device at the other
end. Using Ethereal, I can see that the ethertype 0x0800 is being sent out
but the mac access-list allows it to go through. The explicit deny
command did not drop the traffic.
There's no "show mac access-list" command to show me the counter.
I then modify the mac access-list to specifically deny ethertype 0x0800.
mac access-list extended pppoe-mac
deny any any 0x800 0x0
permit any any 0x806 0x0
permit any any 0x8863 0x0
permit any any 0x8864 0x0
And using PING I can still send my traffic over to the other end.
I have tried applying the mac access-list using both the interface level mac
access-group command as well as using a vlan filter but the results were the
same.
Is this the normal behavior for mac access-list? Or Ethertype 0x0800 will be
automatically "inherit" when I permit pppoe or arp traffic ?
Appreciate for your input.
Best Regards,
Tee
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART