Re: permiting ARP messages in VLAN ACCES-MAP is necesarry ? from Scott Morris on 2009-07-24 (Ccielab archives 07/2009)

From: Scott Morris <smorris_at_ine.com>
Date: Fri, 24 Jul 2009 22:33:48 -0400

That's correct. But we weren't given specifics there :) So if you are
playing with or denying any mac stuff, then permit arp!

*Scott Morris*, CCIE/x4/ (R&S/ISP-Dial/Security/Service Provider) #4713,

JNCIE-M #153, JNCIS-ER, CISSP, et al.

JNCI-M, JNCI-ER

evil_at_ine.com

Internetwork Expert, Inc.

http://www.InternetworkExpert.com

Toll Free: 877-224-8987

Outside US: 775-826-4344

Knowledge is power.

Power corrupts.

Study hard and be Eeeeviiiil......

andrew wrote:
> I thought and correct me if im wrong here, non ip stuff only gets denied if
> there is a mac access list. So if you just do ip then you don't need to
> allow arp. But if you went any denied appletalk or something with a mac
> access list then you would need to permit arp and depending what is running
> a bunch of other stuff as well.
>
>
> cheers
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Scott Morris
> Sent: Saturday, July 25, 2009 10:08 AM
> To: Rameez Khan
> Cc: Cisco certification
> Subject: Re: permiting ARP messages in VLAN ACCES-MAP is necesarry ?
>
> Keep in mind that your arp timeout is 4 hours on a Cisco switch. So you
> may THINK everything's good.... But try clearing your cache and/or
> rebooting! :)
>
>
>
>
> *Scott Morris*, CCIE/x4/ (R&S/ISP-Dial/Security/Service Provider) #4713,
>
> JNCIE-M #153, JNCIS-ER, CISSP, et al.
>
> JNCI-M, JNCI-ER
>
> evil_at_ine.com
>
>
> Internetwork Expert, Inc.
>
> http://www.InternetworkExpert.com
>
> Toll Free: 877-224-8987
>
> Outside US: 775-826-4344
>
>
> Knowledge is power.
>
> Power corrupts.
>
> Study hard and be Eeeeviiiil......
>
>
>
>
>
> Rameez Khan wrote:
>
>> Hello there
>> I hav a issue regardng vlan access-map, actually i read in IE v4.1 R&s
>> wkrkbuk lab 5 about VLAN-ACCESS MAP tht we need to permit ARP messages
>> whnever we hav to use vlan-access map, otherwise we wld lost reachibilty
>> about particular VLAN after reload or clearing the arp
>> e.g
>>
>> mac access-list extended PERMIT_ARP
>>
>> permit any any 0x806 0x0
>>
>> bt my configuration works fine without it,any sugestion ... ?
>>
>> did we realy need it to do ?
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jul 24 2009 - 22:33:48 ART

This archive was generated by hypermail 2.2.0 : Sat Aug 01 2009 - 13:10:23 ART