From: Bit Gossip (bit.gossip@chello.nl)
Date: Fri Mar 16 2007 - 15:13:23 ART
Group,
my crazy target is block OSPF multicast hello packets of 3 routers connected
to the same switch vlan 345
I want to use a vlan-map to make more interesting...
First method uses vlan-map with ip access-list to filter 224.0.0.5 and works
Second method uses vlan-map with mac access-list to filter 0100.5e00.0005
which should be the layer 2 mapping for 224.0.0.5.
The second method doesn't work meaning that OSPF hello are not blocked.
Is this because a vlan-map with mac access-list doesn't look at ip packets?
Attached the config of the 2 vlan-map
Thanks,
Luca.
Method 1:
vlan access-map NO-OSPF-1 10
action drop
match ip address 100
vlan access-map NO-OSPF-1 20
action forward
match ip address 2
access-list 2 permit any
access-list 100 permit ip any host 224.0.0.5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Method 2:
mac access-list extended ALL-MAC
permit any any
mac access-list extended NO-OSPF-2
permit any host 0100.5e00.0005
spanning-tree mode pvst
spanning-tree extend system-id
!
!
vlan access-map NO-OSPF-2 10
action drop
match mac address NO-OSPF-2
vlan access-map NO-OSPF-2 20
action forward
match mac address ALL-MAC
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART