From: Pavel Bykov (slidersv@gmail.com)
Date: Wed Mar 25 2009 - 09:49:29 ART
Switches do interprent QinQ as non-ip traffic, so i'm not sure what packet
structure is required for MAC access-list to become active.
The only thing I can confirm, is that while labbing one (didn't use MAC ACL
in production) mock lab from IE, there was a task to restrict a certain
flow. So I created a MAC ACL on 3560, and the traffic flowed right through
it. Also, in the lab solution this was mentioned.
So to elaborate: If you create a MAC access-list, matching some MAC and
denying it, and apply this MAC ACL on an interface (not SVI) in MODE ACCESS,
the traffic will flow through. This is my lab experience and it was in line
with documentation.
On Wed, Mar 25, 2009 at 12:18 PM, Carlos G Mendioroz <tron@huapi.ba.ar>wrote:
> Hmmm, that's not the way I see it.
>
> The link says:
> Use the mac access-list extended global configuration command to
> create an access list based on MAC addresses for non-IP traffic.
>
> which I read as:
> Given that in non IP traffic you have no way to apply IP based lists,
> you may use mac based list to do something.
>
> But this does by no mean imply that it ONLY works on non IP traffic.
> And in fact it does work on IP traffic at least on a 2950.
> (Don't have a 3560 to test handy, but it would surprise me if it behaved
> differently)
>
> -Carlos
>
>
>
> Pavel Bykov @ 24/03/2009 21:47 -0200 dixit:
> > One of the very important things to consider, is that MAC access-list
> > applies ONLY to non-ip traffic:
> >
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/command/reference/cli1.html#wp9666484
> >
> >
> > On Sat, Mar 21, 2009 at 8:24 PM, Raghav Bhargava <
> raghavbhargava12@gmail.com
> >> wrote:
> >
> >> Hi Bhuvanesh,
> >> MAC Access List are applied for L2 Traffic whereas IP Access-list is
> >> applied
> >> for L3 Traffic. If you have both applied on your switch Mac-Access list
> >> takes precedence over Ip access list.
> >>
> >> regards
> >> raghav
> >>
> >> On Sat, Mar 21, 2009 at 12:49 AM, Bhuvanesh Rajput <ashu2084@gmail.com
> >>> wrote:
> >>> Hi guys,
> >>>
> >>> Please through some light on my doubts.........
> >>>
> >>> a>> on the switch, when/where (l2 interface / vlan) can we use mac
> >>> address-list, ip access-list and vlan map.?
> >>>
> >>> b>>can we apply mac access-list , ip access-list and vlan map
> >>> altogether on a sigle L2 interface /vlan (svi)?
> >>>
> >>> c>>in which direction mac access-list take precedence when ip
> >>> access-list and vlan map also configured on the interface/vlan.
> >>>
> >>> d>> if all three applied on the l2 interface/vlan(svi) then what
> >>> would be the execution sequence??
> >>>
> >>> Cheers!
> >>> Bhuvanesh
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >> --
> >> Warm Regards
> >> Raghav
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>
-- Pavel Bykov ---------------- Don't forget to help stopping the braindumps, use of which reduces value of your certifications. Sign the petition at http://www.stopbraindumps.com/Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:07 ART