Re: Vlan access-maps from Darby Weaver on 2009-09-02 (Ccielab archives 09/2009)

From: Darby Weaver <darby.weaver_at_gmail.com>
Date: Wed, 2 Sep 2009 13:04:39 -0400

Examples:

Note: They take control plane traffic into account implicitly by the forward
command. We are allowing what we want to drop is the logic employed in the
mac acl, we permit the other traffic.

mac access-list extended ARP_Packet
permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
*
!--- This blocks communication between hosts with this MAC.
*
!
mac access-list extended ARP_ONE_OUI
permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0
*
!--- This blocks any ARP packet that originates from this vendor OUI.
*
!
mac access-list extended ARP_TWO_OUI
permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0
permit 0006.5b00.0000 0000.00ff.ffff any 0x806 0x0
*
!--- This blocks any ARP packet that originates from these two vendor OUIs.
*
!
vlan access-map block_arp 10
action drop
match mac address ARP_Packet
vlan access-map block_arp 20
action forward

vlan access-map block_one_oui 10
action drop
match mac address ARP_ONE_OUI
vlan access-map block_one_oui 20
action forward

vlan access-map block_two_oui 10
action drop
match mac address ARP_TWO_OUI
vlan access-map block_two_oui 20
action forward

!
vlan filter block_two_oui vlan-list 2
*
!--- This applies the MAC ACL name block_two_oui to VLAN 2.
*

On Wed, Sep 2, 2009 at 12:50 PM, Joe Astorino <jastorino_at_ipexpert.com>wrote:

> Yes.
>
> ARP = Ethertype 0x0806
> STP = LSAP 0x4242
> PVST = LSAP 0xAAAA
>
> Check out the archives for some more details
>
>
>
>
>
> On Wed, Sep 2, 2009 at 12:33 PM, Molomo <letjedilakopa_at_gmail.com> wrote:
>
> > Experts,
> > When filtering in a vlan with a access-map using a IP and/or Mac
> > access-lits do I have to allow arp and other L2 traffic (e.g
> spanningtree)
> > ?
> > If yes, how do I match arp and other L2 control traffic?
> >
> > Thanks in advance.
> >
> > Rgds,
> > Molomo
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Regards,
>
> Joe Astorino - CCIE #24347 R&S
> Technical Instructor - IPexpert, Inc.
> Cell: +1.586.212.6107
> Fax: +1.810.454.0130
> Mailto: jastorino_at_ipexpert.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Sep 02 2009 - 13:04:39 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART