From: Bit Gossip (bit.gossip@chello.nl)
Date: Sat Mar 17 2007 - 04:38:07 ART
Hi Yan and group,
I have tested the scenario of a an extended mac acl applied to a switchport
and indeed it doesn't block IP traffic, OSPF in this particular instance
Thanks,
Luca.
mac access-list extended NO-OSPF-3
deny any host 0100.5e00.0005
permit any any
!
interface FastEthernet1/0/4
switchport access vlan 345
switchport mode access
speed 100
duplex full
mac access-group NO-OSPF-3 in
----- Original Message -----
From: "Filyurin, Yan" <yan.filyurin@eds.com>
To: "Todd, Douglas M." <DTODD@PARTNERS.ORG>; "Bit Gossip"
<bit.gossip@chello.nl>; <ccielab@groupstudy.com>
Sent: Saturday, March 17, 2007 5:33 AM
Subject: RE: Vlan-map for ip and mac
Actually I checked a few materials and one IEWB lab solution set and it
turns that when do mac access list it only applies to non-IP traffic,
but I was pretty sure in one of my setups I saw it work.
So could someone tell for sure if mac address access lists when applied
to regular switchports will work for IP traffic or it has to be non-IP
traffic? Opinions count too! :)
-----Original Message-----
From: Todd, Douglas M. [mailto:DTODD@PARTNERS.ORG]
Sent: Friday, March 16, 2007 2:17 PM
To: Filyurin, Yan; Bit Gossip; ccielab@groupstudy.com
Subject: RE: Vlan-map for ip and mac
Seems to work by this data:
(A debug while on this rule seems be a problem with the 224.0.0.5
rate-limit so becareful (could be my setup).
Rack14R2#ping 162.14.27.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 162.14.27.7, timeout is 2 seconds:
..
Success rate is 0 percent (0/2)
Rack14R2#ping 224.0.0.5
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 224.0.0.5, timeout is 2 seconds:
Reply to request 0 from 41.14.2.2, 1 ms
Reply to request 0 from 162.14.0.3, 112 ms Rack14R2#
On the switch:
interface FastEthernet0/13
mac access-group OSPF in
Extended MAC access list OSPF
deny host 0100.5e00.0005 any
Neighbor ID Pri State Dead Time Address
Interface
41.14.2.2 1 EXSTART/DR 00:00:38 162.14.27.2 Vlan27
Rack14SW4#
> -----Original Message-----
> From: Filyurin, Yan [mailto:yan.filyurin@eds.com]
> Sent: Friday, March 16, 2007 2:54 PM
> To: Todd, Douglas M.; Bit Gossip; ccielab@groupstudy.com
> Subject: RE: Vlan-map for ip and mac
>
> So would a mac access-list on a port take care of both the IP and
> non-IP traffic?
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of Todd, Douglas M.
> Sent: Friday, March 16, 2007 1:32 PM
> To: Bit Gossip; ccielab@groupstudy.com
> Subject: RE: Vlan-map for ip and mac
>
> Funny thing -
> I have two escalation engineers working on the same problem for me
> (but not ccie related this time). Problem is strictly with mac acls
> and vacls with ip related traffic (or multicast).
>
>
> I would go for using a mac access-list on the inbound port
>
> int f0/1
> mac access-group NO-OSPF-1
>
> DMT
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf
> > Of Bit Gossip
> > Sent: Friday, March 16, 2007 2:13 PM
> > To: ccielab@groupstudy.com
> > Subject: Vlan-map for ip and mac
> >
> > Group,
> > my crazy target is block OSPF multicast hello packets of 3 routers
> > connected to the same switch vlan 345 I want to use a
> vlan-map to make
>
> > more interesting...
> > First method uses vlan-map with ip access-list to filter
> > 224.0.0.5 and works Second method uses vlan-map with mac
> access-list
> > to filter 0100.5e00.0005 which should be the layer 2 mapping for
> > 224.0.0.5.
> > The second method doesn't work meaning that OSPF hello are not
> > blocked.
> > Is this because a vlan-map with mac access-list doesn't look at ip
> > packets?
> > Attached the config of the 2 vlan-map Thanks, Luca.
> >
> > Method 1:
> >
> > vlan access-map NO-OSPF-1 10
> > action drop
> > match ip address 100
> > vlan access-map NO-OSPF-1 20
> > action forward
> > match ip address 2
> >
> > access-list 2 permit any
> > access-list 100 permit ip any host 224.0.0.5
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Method 2:
> >
> > mac access-list extended ALL-MAC
> > permit any any
> > mac access-list extended NO-OSPF-2
> > permit any host 0100.5e00.0005
> > spanning-tree mode pvst
> > spanning-tree extend system-id
> > !
> > !
> > vlan access-map NO-OSPF-2 10
> > action drop
> > match mac address NO-OSPF-2
> > vlan access-map NO-OSPF-2 20
> > action forward
> > match mac address ALL-MAC
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
>
>
> The information transmitted in this electronic communication is
> intended only for the person or entity to whom it is addressed and may
> contain confidential and/or privileged material. Any review,
> retransmission, dissemination or other use of or taking of any action
> in reliance upon this information by persons or entities other than
> the intended recipient is prohibited. If you received this information
> in error, please contact the Compliance HelpLine at 800-856-1983 and
> properly dispose of this information.
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
The information transmitted in this electronic communication is intended
only for the person or entity to whom it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of or taking of any action in reliance upon
this information by persons or entities other than the intended
recipient is prohibited. If you received this information in error,
please contact the Compliance HelpLine at 800-856-1983 and properly
dispose of this information.
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART