Darby,
mac access-list extended ARP_Packet
permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
*
!--- This blocks communication between hosts with this MAC.
You mean blocks ARP, correct?
On Wed, Sep 2, 2009 at 10:04 AM, Darby Weaver <darby.weaver_at_gmail.com>wrote:
> Examples:
>
> Note: They take control plane traffic into account implicitly by the
> forward
> command. We are allowing what we want to drop is the logic employed in the
> mac acl, we permit the other traffic.
>
> mac access-list extended ARP_Packet
> permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
> *
> !--- This blocks communication between hosts with this MAC.
> *
> !
> mac access-list extended ARP_ONE_OUI
> permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0
> *
> !--- This blocks any ARP packet that originates from this vendor OUI.
> *
> !
> mac access-list extended ARP_TWO_OUI
> permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0
> permit 0006.5b00.0000 0000.00ff.ffff any 0x806 0x0
> *
> !--- This blocks any ARP packet that originates from these two vendor OUIs.
> *
> !
> vlan access-map block_arp 10
> action drop
> match mac address ARP_Packet
> vlan access-map block_arp 20
> action forward
>
>
> vlan access-map block_one_oui 10
> action drop
> match mac address ARP_ONE_OUI
> vlan access-map block_one_oui 20
> action forward
>
>
> vlan access-map block_two_oui 10
> action drop
> match mac address ARP_TWO_OUI
> vlan access-map block_two_oui 20
> action forward
>
>
> !
> vlan filter block_two_oui vlan-list 2
> *
> !--- This applies the MAC ACL name block_two_oui to VLAN 2.
> *
>
> On Wed, Sep 2, 2009 at 12:50 PM, Joe Astorino <jastorino_at_ipexpert.com
> >wrote:
>
> > Yes.
> >
> > ARP = Ethertype 0x0806
> > STP = LSAP 0x4242
> > PVST = LSAP 0xAAAA
> >
> > Check out the archives for some more details
> >
> >
> >
> >
> >
> > On Wed, Sep 2, 2009 at 12:33 PM, Molomo <letjedilakopa_at_gmail.com> wrote:
> >
> > > Experts,
> > > When filtering in a vlan with a access-map using a IP and/or Mac
> > > access-lits do I have to allow arp and other L2 traffic (e.g
> > spanningtree)
> > > ?
> > > If yes, how do I match arp and other L2 control traffic?
> > >
> > > Thanks in advance.
> > >
> > > Rgds,
> > > Molomo
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > Regards,
> >
> > Joe Astorino - CCIE #24347 R&S
> > Technical Instructor - IPexpert, Inc.
> > Cell: +1.586.212.6107
> > Fax: +1.810.454.0130
> > Mailto: jastorino_at_ipexpert.com
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Narbik Kocharians CCSI#30832, CCIE# 12410 (R&S, SP, Security) www.MicronicsTraining.com Sr. Technical Instructor Blogs and organic groups at http://www.ccie.netReceived on Wed Sep 02 2009 - 10:14:26 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART