RE: VLAN Filter Scenario
From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Wed Dec 06 2006 - 05:38:57 ART
<< For a more readable filter, I'd split the matching of IP and non-IP
packets
in two secions of VLAN access-map.>>
Does this also imply different behavior? You�re saying just for
readability, right? Behavior is the same?
<<And yes, I did test this list in the lab - with IP and IPX; IPX was sent
over
the trunk link, marked with CoS 6 or Cos0.>>
COS 6 gets passed? How is that possible? Or are you referring to something
in which I am unware?
From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr
Lapukhov
Sent: Tuesday, December 05, 2006 11:02 PM
To: Lab Rat #109385382
Cc: cisco@groupstudy.com; Cisco certification; security@groupstudy.com
Subject: Re: VLAN Filter Scenario
A good one! :)
Actually, it's not that hard, if you recall how VLAN ACLs match packets.
First, an IP packet is matched *only* against IP acl; A non-IP packet
matches MAC acls *only*.
Therefore, your VLAN filter will permit IP traffic only from mentioned IP
addresses (note that this may be really bad, if your VLAN is transit);
In addition this VLAN filter will only permit NON-IP packets with COS of 0.
For a more readable filter, I'd split the matching of IP and non-IP packets
in two secions of VLAN access-map.
And yes, I did test this list in the lab - with IP and IPX; IPX was sent
over
the trunk link, marked with CoS 6 or Cos0.
HTH
2006/12/6, Lab Rat #109385382 <techlist01@gmail.com>:
How would you guys interpret the behavior of the following combination of
statements:
mac access-list extended COS-0
permit any any cos 0
ip access-list extended IP-ALLOW
permit ip host 1.1.1.1
permit ip host 1.1.1.100
vlan access-map V-FILT 10
action forward
match mac address COS-0
match ip address IP-ALLOW
vlan filter V-FILT vlan-list 555
Thanks,
Ed
This archive was generated by hypermail 2.1.4
: Tue Jan 02 2007 - 07:50:36 ART