Re: mac access-list

From: Paul Cosgrove (paul.cosgrove@heanet.ie)
Date: Tue Jul 22 2008 - 14:59:56 ART

• Next message: Scott Morris: "RE: CCIE Design"
• Previous message: Joseph Brunner: "RE: ASA Port forwarding"
• Maybe in reply to: Jack Tsai: "mac access-list"
• Next in thread: But Nicky: "Re: mac access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Jack,

The mac acl will only be used to match non IP packets, the IP acl match
only for IP packets. Your configuration will allow non IP traffic (inc.
ARP) from 1111.1111.1111 but you will not be able to ping anything with
it. It will effectively block all of the 10.1.1.0/24 range without
exception.

You could use port security if you have a known set of ports you need to
apply it to. If not I would just use your mac filter, but if doing so
you may need to permit the gateway as well as 1111.1111.1111 to allow
return traffic to get back. If they provide the IP of the
1111.1111.1111 host you could also look at ip source guard or ip arp
inspection, again depending on where it needs to be applied.

Paul.

Jack Tsai wrote:
> Please comment on the following:
> (1) in the end of mac access-list extended abc, a "deny any any" is
> implicitly added
> (2) therefore, vlan access-map test 10 will drop everything but the host
> 1111.1111.1111
> (3) vlan access-map test 20 and access-map test 30 will not be executed
>
> Thanks,
> Jack
>
> Jack Tsai wrote:
>> Task: block the entire subnet 10.1.1.0/24 except one host in the
>> subnet with MAC: 1111.1111.1111
>> Is the following configuration all right?
>>
>> (config)#mac access-list extended abc
>> (config-ext-macl)#permit host 1111.1111.1111 any
>>
>> (config)#vlan access-map test 10
>> (config-access-map)#match mac address abc
>> (config-access-map)#action forward
>> (config)#vlan access-map test 20
>> (config-access-map)#match ip address 5
>> (config-access-map)#action drop
>> (config)#vlan access-map test 30
>> (config-access-map)#action forward
>>
>> (config)#access-list 5 permit 10.1.1.0 0.0.0.255
>>
>> Thanks,
>> Jack
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>

-- 
HEAnet Limited
Ireland's Education & Research Network
5 George's Dock, IFSC, Dublin 1, Ireland
Tel:  +353.1.6609040
Web:  http://www.heanet.ie
Company registered in Ireland: 275301
Please consider the environment before printing this e-mail.

• Next message: Scott Morris: "RE: CCIE Design"
• Previous message: Joseph Brunner: "RE: ASA Port forwarding"
• Maybe in reply to: Jack Tsai: "mac access-list"
• Next in thread: But Nicky: "Re: mac access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:56 ART