Re: switch security

From: Pavel Bykov (slidersv@gmail.com)
Date: Wed Mar 25 2009 - 10:05:48 ART

• Next message: Persio Pucci: "OT: Juniper Olive"
• Previous message: libone mhlanga: "Re: Dumps are already out for open-ended questions!!"
• Maybe in reply to: Bhuvanesh Rajput: "switch security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Haven't tried it on 2950.
The documentation and hardware of 2950 and 3560 is quite different.

But since the original question mentioned vlan maps, and vlan maps are not
supported by 2950, I have not even considered this model before answering.

On Wed, Mar 25, 2009 at 1:56 PM, Carlos G Mendioroz <tron@huapi.ba.ar>wrote:

> This is not the case on a 2950 running 12.1(22)EA12.
> Same config, flow is catched (and denied).
> So I stand surprised :)
>
> Pavel Bykov @ 25/03/2009 9:49 -0200 dixit:
> > Switches do interprent QinQ as non-ip traffic, so i'm not sure what
> > packet structure is required for MAC access-list to become active.
> > The only thing I can confirm, is that while labbing one (didn't use MAC
> > ACL in production) mock lab from IE, there was a task to restrict a
> > certain flow. So I created a MAC ACL on 3560, and the traffic flowed
> > right through it. Also, in the lab solution this was mentioned.
> >
> > So to elaborate: If you create a MAC access-list, matching some MAC and
> > denying it, and apply this MAC ACL on an interface (not SVI) in MODE
> > ACCESS, the traffic will flow through. This is my lab experience and it
> > was in line with documentation.
> >
> >
> > On Wed, Mar 25, 2009 at 12:18 PM, Carlos G Mendioroz <tron@huapi.ba.ar
> > <mailto:tron@huapi.ba.ar>> wrote:
> >
> > Hmmm, that's not the way I see it.
> >
> > The link says:
> > Use the mac access-list extended global configuration command to
> > create an access list based on MAC addresses for non-IP traffic.
> >
> > which I read as:
> > Given that in non IP traffic you have no way to apply IP based
> lists,
> > you may use mac based list to do something.
> >
> > But this does by no mean imply that it ONLY works on non IP traffic.
> > And in fact it does work on IP traffic at least on a 2950.
> > (Don't have a 3560 to test handy, but it would surprise me if it
> behaved
> > differently)
> >
> > -Carlos
> >
> >
> >
> > Pavel Bykov @ 24/03/2009 21:47 -0200 dixit:
> > > One of the very important things to consider, is that MAC
> access-list
> > > applies ONLY to non-ip traffic:
> > >
> >
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/command/reference/cli1.html#wp9666484
> > >
> > >
> > > On Sat, Mar 21, 2009 at 8:24 PM, Raghav Bhargava
> > <raghavbhargava12@gmail.com <mailto:raghavbhargava12@gmail.com>
> > >> wrote:
> > >
> > >> Hi Bhuvanesh,
> > >> MAC Access List are applied for L2 Traffic whereas IP Access-list
> is
> > >> applied
> > >> for L3 Traffic. If you have both applied on your switch
> > Mac-Access list
> > >> takes precedence over Ip access list.
> > >>
> > >> regards
> > >> raghav
> > >>
> > >> On Sat, Mar 21, 2009 at 12:49 AM, Bhuvanesh Rajput
> > <ashu2084@gmail.com <mailto:ashu2084@gmail.com>
> > >>> wrote:
> > >>> Hi guys,
> > >>>
> > >>> Please through some light on my doubts.........
> > >>>
> > >>> a>> on the switch, when/where (l2 interface / vlan) can we use
> mac
> > >>> address-list, ip access-list and vlan map.?
> > >>>
> > >>> b>>can we apply mac access-list , ip access-list and vlan map
> > >>> altogether on a sigle L2 interface /vlan (svi)?
> > >>>
> > >>> c>>in which direction mac access-list take precedence when ip
> > >>> access-list and vlan map also configured on the interface/vlan.
> > >>>
> > >>> d>> if all three applied on the l2 interface/vlan(svi) then what
> > >>> would be the execution sequence??
> > >>>
> > >>> Cheers!
> > >>> Bhuvanesh
> > >>>
> > >>>
> > >>> Blogs and organic groups at http://www.ccie.net
> > >>>
> > >>>
> >
> _______________________________________________________________________
> > >>> Subscription information may be found at:
> > >>> http://www.groupstudy.com/list/CCIELab.html
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >> --
> > >> Warm Regards
> > >> Raghav
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> >
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> >
> > --
> > Carlos G Mendioroz <tron@huapi.ba.ar <mailto:tron@huapi.ba.ar>>
> > LW7 EQI Argentina
> >
> >
> >
> >
> > --
> > Pavel Bykov
> > ----------------
> > Don't forget to help stopping the braindumps, use of which reduces value
> > of your certifications. Sign the petition at
> http://www.stopbraindumps.com/
>
> --
> Carlos G Mendioroz <tron@huapi.ba.ar> LW7 EQI Argentina
>

-- 
Pavel Bykov
----------------
Don't forget to help stopping the braindumps, use of which reduces value of
your certifications. Sign the petition at http://www.stopbraindumps.com/
Blogs and organic groups at http://www.ccie.net

• Next message: Persio Pucci: "OT: Juniper Olive"
• Previous message: libone mhlanga: "Re: Dumps are already out for open-ended questions!!"
• Maybe in reply to: Bhuvanesh Rajput: "switch security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:07 ART