RE: Vlan-map for ip and mac

From: Filyurin, Yan (yan.filyurin@eds.com)
Date: Fri Mar 16 2007 - 15:53:47 ART

• Next message: Brian McGahan: "RE: Multiple autocommands for a user"
• Previous message: Shamin: "Any one working at CISCO - India here ???"
• Maybe in reply to: Bit Gossip: "Vlan-map for ip and mac"
• Next in thread: Todd, Douglas M.: "RE: Vlan-map for ip and mac"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

So would a mac access-list on a port take care of both the IP and non-IP
traffic?

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Todd, Douglas M.
Sent: Friday, March 16, 2007 1:32 PM
To: Bit Gossip; ccielab@groupstudy.com
Subject: RE: Vlan-map for ip and mac

Funny thing -
I have two escalation engineers working on the same problem for me (but
not ccie related this time). Problem is strictly with mac acls and vacls
with ip related traffic (or multicast).

I would go for using a mac access-list on the inbound port

int f0/1
mac access-group NO-OSPF-1

DMT

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Bit Gossip
> Sent: Friday, March 16, 2007 2:13 PM
> To: ccielab@groupstudy.com
> Subject: Vlan-map for ip and mac
>
> Group,
> my crazy target is block OSPF multicast hello packets of 3 routers
> connected to the same switch vlan 345 I want to use a vlan-map to make

> more interesting...
> First method uses vlan-map with ip access-list to filter
> 224.0.0.5 and works Second method uses vlan-map with mac access-list
> to filter 0100.5e00.0005 which should be the layer 2 mapping for
> 224.0.0.5.
> The second method doesn't work meaning that OSPF hello are not
> blocked.
> Is this because a vlan-map with mac access-list doesn't look at ip
> packets?
> Attached the config of the 2 vlan-map
> Thanks,
> Luca.
>
> Method 1:
>
> vlan access-map NO-OSPF-1 10
> action drop
> match ip address 100
> vlan access-map NO-OSPF-1 20
> action forward
> match ip address 2
>
> access-list 2 permit any
> access-list 100 permit ip any host 224.0.0.5
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Method 2:
>
> mac access-list extended ALL-MAC
> permit any any
> mac access-list extended NO-OSPF-2
> permit any host 0100.5e00.0005
> spanning-tree mode pvst
> spanning-tree extend system-id
> !
> !
> vlan access-map NO-OSPF-2 10
> action drop
> match mac address NO-OSPF-2
> vlan access-map NO-OSPF-2 20
> action forward
> match mac address ALL-MAC
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

The information transmitted in this electronic communication is intended
only for the person or entity to whom it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you received this information in error,
please contact the Compliance HelpLine at 800-856-1983 and properly
dispose of this information.

• Next message: Brian McGahan: "RE: Multiple autocommands for a user"
• Previous message: Shamin: "Any one working at CISCO - India here ???"
• Maybe in reply to: Bit Gossip: "Vlan-map for ip and mac"
• Next in thread: Todd, Douglas M.: "RE: Vlan-map for ip and mac"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART