Re: mac access-list

From: mark.chandra@gmail.com
Date: Thu Jan 22 2009 - 02:31:13 ARST

• Next message: shiran guez: "Re: ospf route decision"
• Previous message: Hemant Sharma: "Re: Open-Ended Questions Delivered in Written Format"
• Maybe in reply to: Mark Stephanus Chandra: "mac access-list"
• Next in thread: paul cosgrove: "Re: mac access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi paul,

I just wondering, if the computer don't know the arp yet, it shouldn't send any traffic right ?

But in my case, my pc doesn't have the arp for sure at the beginning, but suddenly can send packet to an ip destonation. Whan I check with arp -a command, it can learn it. So arp request don't get blocked by the switch. How can this happen ?
Sent from my BlackBerry. wireless device from XL GPRS/EDGE/3G network

-----Original Message-----
From: paul cosgrove <paul.cosgrove@gmail.com>

Date: Wed, 21 Jan 2009 19:07:00
To: Mark Stephanus Chandra<mark.chandra@gmail.com>
Subject: Re: mac access-list

Hi Mark,

It will block ARP, but not IP traffic. Once you know the destination's IP
and its ethernet mac (using a cached arp entry or statically), IP packets
can be sent.

Paul.

On Wed, Jan 21, 2009 at 9:08 AM, Mark Stephanus Chandra <
mark.chandra@gmail.com> wrote:

> Guys,
>
>
>
> Continuing discuss about port-security the other day,
>
>
>
> I choose to use Pavel Bykov recommendation to use mac access-list, but what
> a surprise, After I implement this configuration, it's not really works.
>
>
>
> Why I said that "NOT REALLY WORKS". I am using
>
>
>
> Extended MAC access list mark
>
> deny any any
>
>
>
> and configure it on a port fast 0/35
>
> mac access-group executive in
>
>
>
> Why I use deny any, this is to make sure I get my packet block.
>
>
>
> First I plug it, it block my packet but when I release my address and renew
> and obtain an ip address from DHCP. It doesn't block my packet.
>
>
>
> After a while, idle on my laptop, it blocks my packet again.
>
>
>
> Is this a normal behavior of a cisco switch ?
>
>
>
> Regards
>
>
>
> Mark Stephanus Chandra
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: shiran guez: "Re: ospf route decision"
• Previous message: Hemant Sharma: "Re: Open-Ended Questions Delivered in Written Format"
• Maybe in reply to: Mark Stephanus Chandra: "mac access-list"
• Next in thread: paul cosgrove: "Re: mac access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:39 ARST