RE: Vlan-map for ip and mac

From: Todd, Douglas M. (DTODD@PARTNERS.ORG)
Date: Fri Mar 16 2007 - 15:31:33 ART

• Next message: Shamin: "Any one working at CISCO - India here ???"
• Previous message: Filyurin, Yan: "RE: Vlan-map for ip and mac"
• Maybe in reply to: Bit Gossip: "Vlan-map for ip and mac"
• Next in thread: Filyurin, Yan: "RE: Vlan-map for ip and mac"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Funny thing -
I have two escalation engineers working on the same problem for me (but not ccie
related this time). Problem is strictly with mac acls and vacls with ip related
traffic (or multicast).

I would go for using a mac access-list on the inbound port

int f0/1
mac access-group NO-OSPF-1

DMT

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of Bit Gossip
> Sent: Friday, March 16, 2007 2:13 PM
> To: ccielab@groupstudy.com
> Subject: Vlan-map for ip and mac
>
> Group,
> my crazy target is block OSPF multicast hello packets of 3
> routers connected to the same switch vlan 345 I want to use a
> vlan-map to make more interesting...
> First method uses vlan-map with ip access-list to filter
> 224.0.0.5 and works Second method uses vlan-map with mac
> access-list to filter 0100.5e00.0005 which should be the
> layer 2 mapping for 224.0.0.5.
> The second method doesn't work meaning that OSPF hello are
> not blocked.
> Is this because a vlan-map with mac access-list doesn't look
> at ip packets?
> Attached the config of the 2 vlan-map
> Thanks,
> Luca.
>
> Method 1:
>
> vlan access-map NO-OSPF-1 10
> action drop
> match ip address 100
> vlan access-map NO-OSPF-1 20
> action forward
> match ip address 2
>
> access-list 2 permit any
> access-list 100 permit ip any host 224.0.0.5
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Method 2:
>
> mac access-list extended ALL-MAC
> permit any any
> mac access-list extended NO-OSPF-2
> permit any host 0100.5e00.0005
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> !
> vlan access-map NO-OSPF-2 10
> action drop
> match mac address NO-OSPF-2
> vlan access-map NO-OSPF-2 20
> action forward
> match mac address ALL-MAC
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information.

• Next message: Shamin: "Any one working at CISCO - India here ???"
• Previous message: Filyurin, Yan: "RE: Vlan-map for ip and mac"
• Maybe in reply to: Bit Gossip: "Vlan-map for ip and mac"
• Next in thread: Filyurin, Yan: "RE: Vlan-map for ip and mac"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART