From: Alex Steer (alex.steer@eison.co.uk)
Date: Thu Sep 20 2007 - 04:43:33 ART
Chaps,
Thank you for all your suggestions.
Although the vlan filter is a great suggestion (actually fills my
requirements from my original question, which I asked poorly) I
actually need to filter RIP updates off the port.
Reto with regards to your question (I think about direction) The host
whos updates I am trying to block in on port 24
deny any host 0100.5e00.0009, I have tried being more specific by:-
deny host 0001.0001.000.1 host 0100.5e00.0009
but as Dave stated you must not be able to filter IP frames (I was
unaware)
I was also under the impression that l3 access-lists would not work on a
l2 access port. I've tried it and Antonio is right, works perfectly!
Well that turned out to be a lot easily that I thought. I'm over
complicating things.
On a separate note. Has anyone tried to filter of CISCO specific frames
such as CDP/DTP/VTP/UDLD with the destination mac-address
0100.0ccd.cdd0. I've tried to filter these off trunk ports but to no
success. Has anyone had any success with this?
-----Original Message-----
From: Joseph Brunner [mailto:joe@affirmedsystems.com]
Sent: 20 September 2007 04:36
To: 'Marvin Greenlee'; 'Antonio Soares'; Alex Steer;
ccielab@groupstudy.com
Subject: RE: filtering multicast frames
Excuse me, Antonio and Marvin,
Upon more careful application the original config works. I was under the
impression IP ACL's could not be applied to ports in l2 mode on a
3550|60
Thanks for the multicast storm control tip Marvin. I have read that
before
on the DOC CD, but it didn't stick out...
These 4 hour drill-downs I'm doing are really helping with these
tasks...
Going to do one for all these tasks tomorrow night...
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Marvin Greenlee
Sent: Wednesday, September 19, 2007 10:39 PM
To: 'Joseph Brunner'; 'Antonio Soares'; 'Alex Steer';
ccielab@groupstudy.com
Subject: RE: filtering multicast frames
Not sure exactly what you mean by " SWITCHPORT mode; an ip acl won't
work",
it worked fine for me in testing.
RouterA---Switch---RouterB
L3 ACL on switch applied to port connected to router A prevents RIP
updates
from getting to RouterB. (Router A and Router B in same VLAN)
Regarding storm-control not working, see the note in the command
reference:
"...Note If a multicast storm control suppression level is exceeded on a
switch, all traffic (multicast, unicast, and broadcast) is blocked until
the
multicast traffic rate drops below the threshold. Only spanning-tree
packets
are passed. If the broadcast or the unicast storm control suppression
level
is exceeded, only that type of traffic is blocked until the rate drops
below
the threshold..."
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
A Cisco Learning Partner - We Accept Learning Credits!
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Mailto: mgreenlee@ipexpert.com
IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
Demand
and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
Security Lab, CCIE Service Provider Lab, CCIE Voice Lab and CCIE Storage
Lab
Certifications.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Joseph Brunner
Sent: Wednesday, September 19, 2007 9:38 PM
To: 'Antonio Soares'; 'Alex Steer'; ccielab@groupstudy.com
Subject: RE: filtering multicast frames
You should see other options Antonio, you're a general, I'm a private
first
class.
The port is in SWITCHPORT mode; an ip acl won't work.
Just ran your config in my lab, where my R4 is currently running ripv2
with
BB2, still got rip routes...
But, you do this with a vacl...
vlan access-map BLOCKRIP 10
action drop
match ip address norip
vlan access-map BLOCKRIP 20
action forward
!
vlan filter BLOCKRIP vlan-list 102
!
ip access-list extended norip
permit ip any host 224.0.0.9
Can anyone think of other ways to block rip on a switch?
I tried "storm-control multicast level 0.00" but the port stopped
forwarding
traffic altogether (even ping, telnet)
-Joe
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:14 ART