Re: VLAN Filter Scenario

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Wed Dec 06 2006 - 06:37:32 ART

• Next message: Ali Sheeraz Mehdi: "IP Multicast - tunnel between Spokes in NBMA"
• Previous message: Gabriel Nunes: "Re: NAC question"
• Maybe in reply to: Lab Rat #109385382: "VLAN Filter Scenario"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yes, i think the behavior remains the same.

Oh, I meant IPX packets marked with Cos6 on the trunk links gets dropped.
Marked with CoS0 IPX is permitted :)

2006/12/6, Lab Rat #109385382 <techlist01@gmail.com>:
>
> << For a more readable filter, I'd split the matching of IP and non-IP
> packets
> in two secions of VLAN access-map.>>
>
>
> Does this also imply different behavior? Youre saying just for
> readability, right? Behavior is the same?
>
>
> <<And yes, I did test this list in the lab - with IP and IPX; IPX was
> sent
> over
> the trunk link, marked with CoS 6 or Cos0.>>
>
>
> COS 6 gets passed? How is that possible? Or are you referring to
> something
> in which I am unware?
>
>
>
> From: petrsoft@gmail.com [mailto:petrsoft@gmail.com] On Behalf Of Petr
> Lapukhov
> Sent: Tuesday, December 05, 2006 11:02 PM
> To: Lab Rat #109385382
> Cc: cisco@groupstudy.com; Cisco certification; security@groupstudy.com
> Subject: Re: VLAN Filter Scenario
>
> A good one! :)
>
> Actually, it's not that hard, if you recall how VLAN ACLs match packets.
>
> First, an IP packet is matched *only* against IP acl; A non-IP packet
> matches MAC acls *only*.
>
> Therefore, your VLAN filter will permit IP traffic only from mentioned IP
> addresses (note that this may be really bad, if your VLAN is transit);
>
> In addition this VLAN filter will only permit NON-IP packets with COS of
> 0.
>
> For a more readable filter, I'd split the matching of IP and non-IP
> packets
> in two secions of VLAN access-map.
>
> And yes, I did test this list in the lab - with IP and IPX; IPX was sent
> over
> the trunk link, marked with CoS 6 or Cos0.
>
> HTH
> 2006/12/6, Lab Rat #109385382 <techlist01@gmail.com>:
> How would you guys interpret the behavior of the following combination of
> statements:
>
>
> mac access-list extended COS-0
> permit any any cos 0
>
> ip access-list extended IP-ALLOW
> permit ip host 1.1.1.1
> permit ip host 1.1.1.100
>
> vlan access-map V-FILT 10
> action forward
> match mac address COS-0
> match ip address IP-ALLOW
>
> vlan filter V-FILT vlan-list 555
>
>
> Thanks,
>
> Ed
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

--
Petr Lapukhov, CCIE #16379
petr@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

• Next message: Ali Sheeraz Mehdi: "IP Multicast - tunnel between Spokes in NBMA"
• Previous message: Gabriel Nunes: "Re: NAC question"
• Maybe in reply to: Lab Rat #109385382: "VLAN Filter Scenario"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:36 ART