Re: Mac access-list

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Thu Nov 23 2006 - 16:35:09 ART

• Next message: Lab Rat #109385382: "RE: AAA Accounting Question"
• Previous message: srdja blagojevic: "RE: BGP RIB_failure"
• Maybe in reply to: Simon Tee: "Mac access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ivan is correct: with Catalysts, IP traffic is NOT handled by MAC
access-lists.

It's a special feature, that directly pipelines IP packets to L3 processing
(IP
access-lists, routing, etc, etc). MAC access-list affects only Non-IP
traffic
(ARP, STP, Atalk, IPX)..

HTH

2006/11/23, Simon Tee <teetengloong@gmail.com>:
>
> Hi Guys,
>
> I did some testing with mac access-list and found something that I could
> not
> get an explaination.
>
> Here the scenario, my customer is a broadband provider, user will use
> pppoe
> to dial up to the Internet.
> We were using 3560 switches and would like to filter non-relevant frames
> at
> the port level (e.g. APPLETALK, AARP, DECNET-IV).
>
> I've created a mac access-list with the following entries:
> mac access-list extended pppoe-mac
> permit any any 0x806 0x0
> permit any any 0x8863 0x0
> permit any any 0x8864 0x0
>
> We tried to perform a normal PING and everything went well, but later I
> realized that I did not allow the normal IP ethertype (which is 0x0800)
> but
> I am still able to PING through the switch to another device at the other
> end. Using Ethereal, I can see that the ethertype 0x0800 is being sent out
> but the mac access-list allows it to go through. The explicit deny
> command did not drop the traffic.
> There's no "show mac access-list" command to show me the counter.
>
> I then modify the mac access-list to specifically deny ethertype 0x0800.
> mac access-list extended pppoe-mac
> deny any any 0x800 0x0
> permit any any 0x806 0x0
> permit any any 0x8863 0x0
> permit any any 0x8864 0x0
>
> And using PING I can still send my traffic over to the other end.
>
> I have tried applying the mac access-list using both the interface level
> mac
> access-group command as well as using a vlan filter but the results were
> the
> same.
>
> Is this the normal behavior for mac access-list? Or Ethertype 0x0800 will
> be
> automatically "inherit" when I permit pppoe or arp traffic ?
>
> Appreciate for your input.
> Best Regards,
> Tee
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

-- 
Petr Lapukhov, CCIE #16379
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

• Next message: Lab Rat #109385382: "RE: AAA Accounting Question"
• Previous message: srdja blagojevic: "RE: BGP RIB_failure"
• Maybe in reply to: Simon Tee: "Mac access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART