RE: Vlan-map for ip and mac

From: Todd, Douglas M. (DTODD@PARTNERS.ORG)
Date: Fri Mar 16 2007 - 16:16:53 ART

• Next message: sirus MOGHADASIAN: "Problem with share Internet from my ADSL router to 2621XM"
• Previous message: postmaster@traknet.com: "Delivery Status Notification (Failure)"
• Maybe in reply to: Bit Gossip: "Vlan-map for ip and mac"
• Next in thread: Filyurin, Yan: "RE: Vlan-map for ip and mac"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Seems to work by this data:
(A debug while on this rule seems be a problem with the 224.0.0.5 rate-limit so
becareful (could be my setup).

Rack14R2#ping 162.14.27.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 162.14.27.7, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
Rack14R2#ping 224.0.0.5

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.0.0.5, timeout is 2 seconds:

Reply to request 0 from 41.14.2.2, 1 ms
Reply to request 0 from 162.14.0.3, 112 ms
Rack14R2#

On the switch:

interface FastEthernet0/13
 mac access-group OSPF in

Extended MAC access list OSPF
    deny host 0100.5e00.0005 any

 Neighbor ID Pri State Dead Time Address Interface
41.14.2.2 1 EXSTART/DR 00:00:38 162.14.27.2 Vlan27
Rack14SW4#

> -----Original Message-----
> From: Filyurin, Yan [mailto:yan.filyurin@eds.com]
> Sent: Friday, March 16, 2007 2:54 PM
> To: Todd, Douglas M.; Bit Gossip; ccielab@groupstudy.com
> Subject: RE: Vlan-map for ip and mac
>
> So would a mac access-list on a port take care of both the IP
> and non-IP traffic?
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of Todd, Douglas M.
> Sent: Friday, March 16, 2007 1:32 PM
> To: Bit Gossip; ccielab@groupstudy.com
> Subject: RE: Vlan-map for ip and mac
>
> Funny thing -
> I have two escalation engineers working on the same problem
> for me (but not ccie related this time). Problem is strictly
> with mac acls and vacls with ip related traffic (or multicast).
>
>
> I would go for using a mac access-list on the inbound port
>
> int f0/1
> mac access-group NO-OSPF-1
>
> DMT
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf
> > Of Bit Gossip
> > Sent: Friday, March 16, 2007 2:13 PM
> > To: ccielab@groupstudy.com
> > Subject: Vlan-map for ip and mac
> >
> > Group,
> > my crazy target is block OSPF multicast hello packets of 3 routers
> > connected to the same switch vlan 345 I want to use a
> vlan-map to make
>
> > more interesting...
> > First method uses vlan-map with ip access-list to filter
> > 224.0.0.5 and works Second method uses vlan-map with mac
> access-list
> > to filter 0100.5e00.0005 which should be the layer 2 mapping for
> > 224.0.0.5.
> > The second method doesn't work meaning that OSPF hello are not
> > blocked.
> > Is this because a vlan-map with mac access-list doesn't look at ip
> > packets?
> > Attached the config of the 2 vlan-map
> > Thanks,
> > Luca.
> >
> > Method 1:
> >
> > vlan access-map NO-OSPF-1 10
> > action drop
> > match ip address 100
> > vlan access-map NO-OSPF-1 20
> > action forward
> > match ip address 2
> >
> > access-list 2 permit any
> > access-list 100 permit ip any host 224.0.0.5
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Method 2:
> >
> > mac access-list extended ALL-MAC
> > permit any any
> > mac access-list extended NO-OSPF-2
> > permit any host 0100.5e00.0005
> > spanning-tree mode pvst
> > spanning-tree extend system-id
> > !
> > !
> > vlan access-map NO-OSPF-2 10
> > action drop
> > match mac address NO-OSPF-2
> > vlan access-map NO-OSPF-2 20
> > action forward
> > match mac address ALL-MAC
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
>
>
> The information transmitted in this electronic communication
> is intended only for the person or entity to whom it is
> addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other
> use of or taking of any action in reliance upon this
> information by persons or entities other than the intended
> recipient is prohibited. If you received this information in
> error, please contact the Compliance HelpLine at 800-856-1983
> and properly dispose of this information.
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information.

• Next message: sirus MOGHADASIAN: "Problem with share Internet from my ADSL router to 2621XM"
• Previous message: postmaster@traknet.com: "Delivery Status Notification (Failure)"
• Maybe in reply to: Bit Gossip: "Vlan-map for ip and mac"
• Next in thread: Filyurin, Yan: "RE: Vlan-map for ip and mac"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART