Re: mac access-list

From: paul cosgrove (paul.cosgrove@gmail.com)
Date: Thu Jan 22 2009 - 07:31:19 ARST

• Next message: Kelvin Yeo: "RE: Understanding the Cisco Documentation"
• Previous message: GAURAV MADAN: "Re: ip alias"
• Maybe in reply to: Mark Stephanus Chandra: "mac access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Mark,

May need a without a little more information there. Can you show the arp
table before and after and the ACL you are using? Shutting down the port is
the best way to clear the arp cache, clearing it using software may just
cause refresh attempts of the existing entries (using the already learned
mac addresses).

Obviously if the destination IP you are pinging is not on the same subnet,
the MAC address which will be used is that of the default gateway, rather
than the destination IP.

Paul.

On Thu, Jan 22, 2009 at 4:31 AM, <mark.chandra@gmail.com> wrote:

> Hi paul,
>
> I just wondering, if the computer don't know the arp yet, it shouldn't send
> any traffic right ?
>
> But in my case, my pc doesn't have the arp for sure at the beginning, but
> suddenly can send packet to an ip destonation. Whan I check with arp -a
> command, it can learn it. So arp request don't get blocked by the switch.
> How can this happen ?
>
> Sent from my BlackBerry(R) wireless device from XL GPRS/EDGE/3G network
>
> ------------------------------
> *From*: paul cosgrove
> *Date*: Wed, 21 Jan 2009 19:07:00 +0000
> *To*: Mark Stephanus Chandra<mark.chandra@gmail.com>
> *Subject*: Re: mac access-list
> Hi Mark,
>
> It will block ARP, but not IP traffic. Once you know the destination's IP
> and its ethernet mac (using a cached arp entry or statically), IP packets
> can be sent.
>
> Paul.
>
> On Wed, Jan 21, 2009 at 9:08 AM, Mark Stephanus Chandra <
> mark.chandra@gmail.com> wrote:
>
>> Guys,
>>
>>
>>
>> Continuing discuss about port-security the other day,
>>
>>
>>
>> I choose to use Pavel Bykov recommendation to use mac access-list, but
>> what
>> a surprise, After I implement this configuration, it's not really works.
>>
>>
>>
>> Why I said that "NOT REALLY WORKS". I am using
>>
>>
>>
>> Extended MAC access list mark
>>
>> deny any any
>>
>>
>>
>> and configure it on a port fast 0/35
>>
>> mac access-group executive in
>>
>>
>>
>> Why I use deny any, this is to make sure I get my packet block.
>>
>>
>>
>> First I plug it, it block my packet but when I release my address and
>> renew
>> and obtain an ip address from DHCP. It doesn't block my packet.
>>
>>
>>
>> After a while, idle on my laptop, it blocks my packet again.
>>
>>
>>
>> Is this a normal behavior of a cisco switch ?
>>
>>
>>
>> Regards
>>
>>
>>
>> Mark Stephanus Chandra
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Kelvin Yeo: "RE: Understanding the Cisco Documentation"
• Previous message: GAURAV MADAN: "Re: ip alias"
• Maybe in reply to: Mark Stephanus Chandra: "mac access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:39 ARST