From: Bob Sinclair (bob@bobsinclair.net)
Date: Fri Mar 16 2007 - 15:29:22 ART
Bit Gossip wrote:
> Group,
> my crazy target is block OSPF multicast hello packets of 3 routers connected
> to the same switch vlan 345
> I want to use a vlan-map to make more interesting...
> First method uses vlan-map with ip access-list to filter 224.0.0.5 and works
> Second method uses vlan-map with mac access-list to filter 0100.5e00.0005
> which should be the layer 2 mapping for 224.0.0.5.
> The second method doesn't work meaning that OSPF hello are not blocked.
> Is this because a vlan-map with mac access-list doesn't look at ip packets?
>
YES! Good little demo lab!
> Attached the config of the 2 vlan-map
> Thanks,
> Luca.
>
> Method 1:
>
> vlan access-map NO-OSPF-1 10
> action drop
> match ip address 100
> vlan access-map NO-OSPF-1 20
> action forward
> match ip address 2
>
> access-list 2 permit any
> access-list 100 permit ip any host 224.0.0.5
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Method 2:
>
> mac access-list extended ALL-MAC
> permit any any
> mac access-list extended NO-OSPF-2
> permit any host 0100.5e00.0005
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> !
> vlan access-map NO-OSPF-2 10
> action drop
> match mac address NO-OSPF-2
> vlan access-map NO-OSPF-2 20
> action forward
> match mac address ALL-MAC
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
--Bob Sinclair CCIE 10427 CCSI 30427 www.netmasterclass.net
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART