From: Matthew Long (mlong@comms-care.com)
Date: Thu Sep 20 2007 - 08:09:23 ART
Joe,
Why a VACL? A vacl is used to restrict traffic within a Vlan, surely the
requirement is to restrict the traffic entering the vlan interface on
the switch which is where it is processed by the routing protocol.
Also, you should be aware that although a switchport is only a layer 2
port they do also have the ability to understand layer 3 information,
for example, here I am applying an layer 3 acl to a switchport.
HALL_3560_SW1(config)#ip access-list ext rip
HALL_3560_SW1(config-ext-nacl)#deny ip any host 224.0.0.9
HALL_3560_SW1(config-ext-nacl)#permit ip any any
HALL_3560_SW1(config-ext-nacl)#int f0/40
HALL_3560_SW1(config-if)#ip access-group rip in
HALL_3560_SW1(config-if)#
HALL_3560_SW1(config-if)#do sh run int f0/40
Building configuration...
Current configuration : 355 bytes
!
interface FastEthernet0/40
switchport mode access
switchport voice vlan 2
ip access-group rip in
spanning-tree portfast
spanning-tree bpduguard enable
end
Alex, why were you trying to do in the first place?
-----Original Message-----
From: Joseph Brunner [mailto:joe@affirmedsystems.com]
Sent: quinta-feira, 20 de Setembro de 2007 2:38
To: 'Antonio Soares'; 'Alex Steer'; ccielab@groupstudy.com
Subject: RE: filtering multicast frames
You should see other options Antonio, you're a general, I'm a private
first
class.
The port is in SWITCHPORT mode; an ip acl won't work.
Just ran your config in my lab, where my R4 is currently running ripv2
with
BB2, still got rip routes...
But, you do this with a vacl...
vlan access-map BLOCKRIP 10
action drop
match ip address norip
vlan access-map BLOCKRIP 20
action forward
!
vlan filter BLOCKRIP vlan-list 102
!
ip access-list extended norip
permit ip any host 224.0.0.9
Can anyone think of other ways to block rip on a switch?
I tried "storm-control multicast level 0.00" but the port stopped
forwarding
traffic altogether (even ping, telnet)
-Joe
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: Wednesday, September 19, 2007 7:16 PM
To: 'Alex Steer'; ccielab@groupstudy.com
Subject: RE: filtering multicast frames
MAC ACLs are only valid for non-IP Traffic. See this link:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/relea
se/1
2.2_25_see/configuration/guide/swacl.html#wp1177176
So to accomplish what you want you have to do it at IP level:
!
ip access-list extended NO-RIP
deny ip any host 224.0.0.9
permit ip any any
!
interface GigabitEthernet0/1
ip access-group NO-RIP in
!
I don't see right now other options.
Regards,
Antonio Soares
CCIE #18473, CCNP, CCIP
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Alex
Steer
Sent: quarta-feira, 19 de Setembro de 2007 23:36
To: ccielab@groupstudy.com
Subject: filtering multicast frames
Hi
Has anybody got an idea what I'm doing wrong here please?
mac access-list extended rip
deny any host 0100.5e00.0009
deny any any
interface FastEthernet0/24
switchport access vlan 110
switchport mode access
mac access-group rip in
Seems a simple task to me but I figure I must be missing something
vital.
Thanks in advance
Alex
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:14 ART