Actually I borrowed the example from Documentation on Cisco.
But technically it will block ARP = 0x0806 0x0 between the two hosts based
on the mac.
On Wed, Sep 2, 2009 at 1:14 PM, Narbik Kocharians <narbikk_at_gmail.com> wrote:
> Darby,
>
> mac access-list extended ARP_Packet
> permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
> *
> !--- This blocks communication between hosts with this MAC.
>
> You mean blocks ARP, correct?
>
> On Wed, Sep 2, 2009 at 10:04 AM, Darby Weaver <darby.weaver_at_gmail.com>wrote:
>
>> Examples:
>>
>> Note: They take control plane traffic into account implicitly by the
>> forward
>> command. We are allowing what we want to drop is the logic employed in
>> the
>> mac acl, we permit the other traffic.
>>
>> mac access-list extended ARP_Packet
>> permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
>> *
>> !--- This blocks communication between hosts with this MAC.
>> *
>> !
>> mac access-list extended ARP_ONE_OUI
>> permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0
>> *
>> !--- This blocks any ARP packet that originates from this vendor OUI.
>> *
>> !
>> mac access-list extended ARP_TWO_OUI
>> permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0
>> permit 0006.5b00.0000 0000.00ff.ffff any 0x806 0x0
>> *
>> !--- This blocks any ARP packet that originates from these two vendor
>> OUIs.
>> *
>> !
>> vlan access-map block_arp 10
>> action drop
>> match mac address ARP_Packet
>> vlan access-map block_arp 20
>> action forward
>>
>>
>> vlan access-map block_one_oui 10
>> action drop
>> match mac address ARP_ONE_OUI
>> vlan access-map block_one_oui 20
>> action forward
>>
>>
>> vlan access-map block_two_oui 10
>> action drop
>> match mac address ARP_TWO_OUI
>> vlan access-map block_two_oui 20
>> action forward
>>
>>
>> !
>> vlan filter block_two_oui vlan-list 2
>> *
>> !--- This applies the MAC ACL name block_two_oui to VLAN 2.
>> *
>>
>> On Wed, Sep 2, 2009 at 12:50 PM, Joe Astorino <jastorino_at_ipexpert.com
>> >wrote:
>>
>> > Yes.
>> >
>> > ARP = Ethertype 0x0806
>> > STP = LSAP 0x4242
>> > PVST = LSAP 0xAAAA
>> >
>> > Check out the archives for some more details
>> >
>> >
>> >
>> >
>> >
>> > On Wed, Sep 2, 2009 at 12:33 PM, Molomo <letjedilakopa_at_gmail.com>
>> wrote:
>> >
>> > > Experts,
>> > > When filtering in a vlan with a access-map using a IP and/or Mac
>> > > access-lits do I have to allow arp and other L2 traffic (e.g
>> > spanningtree)
>> > > ?
>> > > If yes, how do I match arp and other L2 control traffic?
>> > >
>> > > Thanks in advance.
>> > >
>> > > Rgds,
>> > > Molomo
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> > Regards,
>> >
>> > Joe Astorino - CCIE #24347 R&S
>> > Technical Instructor - IPexpert, Inc.
>> > Cell: +1.586.212.6107
>> > Fax: +1.810.454.0130
>> > Mailto: jastorino_at_ipexpert.com
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Narbik Kocharians
> CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com <http://www.micronicstraining.com/>
> Sr. Technical Instructor
Blogs and organic groups at http://www.ccie.net
Received on Wed Sep 02 2009 - 14:12:12 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART