From: Filyurin, Yan (yan.filyurin@eds.com)
Date: Fri Mar 16 2007 - 15:31:03 ART
Pretty much what you said. I actually sent a similar question about 3
days to group study. Could it be that since OSPF is considered IP
traffic it can easily get blocked by vlan access map clause that denies
IP, but when using MAC ACL, OSPF will not get blocked it is still IP
traffic. So I guess the guideline seems to be that if you have IP
traffic use IP acl, but if you have non-IP use mac ACL and where I got
this idea from is here:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3560/12225see/scg
/swacl.htm#wp1543691
"
VLAN Maps
Use VLAN ACLs or VLAN maps to access-control all traffic. You can apply
VLAN maps to all packets that are routed into or out of a VLAN or are
bridged within a VLAN in the switch.
Use VLAN maps for security packet filtering. VLAN maps are not defined
by direction (input or output).
You can configure VLAN maps to match Layer 3 addresses for IPv4 traffic.
All non-IP protocols are access-controlled through MAC addresses and
Ethertype using MAC VLAN maps. (IP traffic is not access controlled by
MAC VLAN maps.) You can enforce VLAN maps only on packets going through
the switch; you cannot enforce VLAN maps on traffic between hosts on a
hub or on another switch connected to this switch.
"
So if I understand the last paragraph correctly if you have a mac VLAN
map, but the traffic is IP as in case of OSPF it would not work.
Yan
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Bit Gossip
Sent: Friday, March 16, 2007 1:13 PM
To: ccielab@groupstudy.com
Subject: Vlan-map for ip and mac
Group,
my crazy target is block OSPF multicast hello packets of 3 routers
connected to the same switch vlan 345 I want to use a vlan-map to make
more interesting...
First method uses vlan-map with ip access-list to filter 224.0.0.5 and
works Second method uses vlan-map with mac access-list to filter
0100.5e00.0005 which should be the layer 2 mapping for 224.0.0.5.
The second method doesn't work meaning that OSPF hello are not blocked.
Is this because a vlan-map with mac access-list doesn't look at ip
packets?
Attached the config of the 2 vlan-map
Thanks,
Luca.
Method 1:
vlan access-map NO-OSPF-1 10
action drop
match ip address 100
vlan access-map NO-OSPF-1 20
action forward
match ip address 2
access-list 2 permit any
access-list 100 permit ip any host 224.0.0.5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Method 2:
mac access-list extended ALL-MAC
permit any any
mac access-list extended NO-OSPF-2
permit any host 0100.5e00.0005
spanning-tree mode pvst
spanning-tree extend system-id
!
!
vlan access-map NO-OSPF-2 10
action drop
match mac address NO-OSPF-2
vlan access-map NO-OSPF-2 20
action forward
match mac address ALL-MAC
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART