RE: filtering multicast frames

From: Antonio Soares (amsoares@netcabo.pt)
Date: Thu Sep 20 2007 - 06:35:20 ART

• Next message: Radioactive Frog: "Re: match-any vs match all"
• Previous message: Ajay Prakash: "RE: Problem with Distance in OSPF"
• Maybe in reply to: Alex Steer: "filtering multicast frames"
• Next in thread: Gary Duncanson: "Re: filtering multicast frames"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Joe,

Still an IP ACL...

Regards,

Antonio Soares
CCIE #18473, CCNP, CCIP

-----Original Message-----
From: Joseph Brunner [mailto:joe@affirmedsystems.com]
Sent: quinta-feira, 20 de Setembro de 2007 2:38
To: 'Antonio Soares'; 'Alex Steer'; ccielab@groupstudy.com
Subject: RE: filtering multicast frames

You should see other options Antonio, you're a general, I'm a private first
class.

The port is in SWITCHPORT mode; an ip acl won't work.

Just ran your config in my lab, where my R4 is currently running ripv2 with
BB2, still got rip routes...

But, you do this with a vacl...

vlan access-map BLOCKRIP 10
 action drop
 match ip address norip
vlan access-map BLOCKRIP 20
 action forward
!
vlan filter BLOCKRIP vlan-list 102
!

ip access-list extended norip
 permit ip any host 224.0.0.9

Can anyone think of other ways to block rip on a switch?

I tried "storm-control multicast level 0.00" but the port stopped forwarding
traffic altogether (even ping, telnet)

-Joe

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: Wednesday, September 19, 2007 7:16 PM
To: 'Alex Steer'; ccielab@groupstudy.com
Subject: RE: filtering multicast frames

MAC ACLs are only valid for non-IP Traffic. See this link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/1
2.2_25_see/configuration/guide/swacl.html#wp1177176

So to accomplish what you want you have to do it at IP level:

!
ip access-list extended NO-RIP
 deny ip any host 224.0.0.9
 permit ip any any
!
interface GigabitEthernet0/1
 ip access-group NO-RIP in
!

I don't see right now other options.

Regards,

Antonio Soares
CCIE #18473, CCNP, CCIP

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Alex
Steer
Sent: quarta-feira, 19 de Setembro de 2007 23:36
To: ccielab@groupstudy.com
Subject: filtering multicast frames

Hi

Has anybody got an idea what I'm doing wrong here please?

mac access-list extended rip

 deny any host 0100.5e00.0009

 deny any any

interface FastEthernet0/24

 switchport access vlan 110

 switchport mode access

 mac access-group rip in

Seems a simple task to me but I figure I must be missing something vital.

Thanks in advance

Alex

• Next message: Radioactive Frog: "Re: match-any vs match all"
• Previous message: Ajay Prakash: "RE: Problem with Distance in OSPF"
• Maybe in reply to: Alex Steer: "filtering multicast frames"
• Next in thread: Gary Duncanson: "Re: filtering multicast frames"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:14 ART