Re: Mac access-list

From: Ivan (ivan@iip.net)
Date: Thu Nov 23 2006 - 15:52:47 ART

• Next message: Scott Morris: "RE: BGP RIB_failure"
• Previous message: haducbinh: "RE: BGP RIB_failure"
• Maybe in reply to: Simon Tee: "Mac access-list"
• Next in thread: Petr Lapukhov: "Re: Mac access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My test shows that IP-traffic don't affected by MAC-acl the same as IPv6. But
ARP filtered successfully.

On Thursday 23 November 2006 20:04, Simon Tee wrote:
> Hi Guys,
>
> I did some testing with mac access-list and found something that I could
> not get an explaination.
>
> Here the scenario, my customer is a broadband provider, user will use pppoe
> to dial up to the Internet.
> We were using 3560 switches and would like to filter non-relevant frames at
> the port level (e.g. APPLETALK, AARP, DECNET-IV).
>
> I've created a mac access-list with the following entries:
> mac access-list extended pppoe-mac
> permit any any 0x806 0x0
> permit any any 0x8863 0x0
> permit any any 0x8864 0x0
>
> We tried to perform a normal PING and everything went well, but later I
> realized that I did not allow the normal IP ethertype (which is 0x0800) but
> I am still able to PING through the switch to another device at the other
> end. Using Ethereal, I can see that the ethertype 0x0800 is being sent out
> but the mac access-list allows it to go through. The explicit deny
> command did not drop the traffic.
> There's no "show mac access-list" command to show me the counter.
>
> I then modify the mac access-list to specifically deny ethertype 0x0800.
> mac access-list extended pppoe-mac
> deny any any 0x800 0x0
> permit any any 0x806 0x0
> permit any any 0x8863 0x0
> permit any any 0x8864 0x0
>
> And using PING I can still send my traffic over to the other end.
>
> I have tried applying the mac access-list using both the interface level
> mac access-group command as well as using a vlan filter but the results
> were the same.
>
> Is this the normal behavior for mac access-list? Or Ethertype 0x0800 will
> be automatically "inherit" when I permit pppoe or arp traffic ?
>
> Appreciate for your input.
> Best Regards,
> Tee
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

-- 
Ivan

• Next message: Scott Morris: "RE: BGP RIB_failure"
• Previous message: haducbinh: "RE: BGP RIB_failure"
• Maybe in reply to: Simon Tee: "Mac access-list"
• Next in thread: Petr Lapukhov: "Re: Mac access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART