Re: MAC Filter 3560 from Chris Grammer on 2010-09-10 (Ccielab archives 09/2010)

From: Chris Grammer <cgrammer_at_essilorusa.com>
Date: Fri, 10 Sep 2010 10:19:30 -0500

Here is the Test:

R1 ---- SW1 ---- R2

R1 on port f1/0/1
R2 on port f1/0/2

SW1 Config:

mac access-list extended BLOCK_F1/0/1
deny any any

interface FastEthernet1/0/1
switchport access vlan 40
switchport mode access
mac access-group BLOCK_F1/0/1 in

-----------------------------------------

The Ping between R1 and R2 were successful prior to applying the mac
access-list.
I applied the access-list and shut/no shut the interface.
Pings from R1 to R2 are failing.

The arp table on R1 after the failed ping:
Internet 1.1.123.2 0 Incomplete ARPA

Statically map the ARP on R1:
R1(config)#arp 1.1.123.2 000b.be6d.6f00 arpa

R1#ping 1.1.123.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.123.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#

So indeed, MAC-access list does NOT work on IPv4 traffic, except to block
the initial ARP.
Kubilay is correct.

I did the same test scenerio except I used a vlan access-map:

mac access-list extended PERMIT_ALL_MACS
permit any any

vlan access-map VLAN40_MAP 10
action drop
match mac address PERMIT_ALL_MACS
vlan access-map VLAN40_MAP 20
action forward

vlan filter VLAN40_MAP vlan-list 40

The result was the same.
Initially the ping will not work.
The arp table shows an incomplete arp.
Statically map the ARP...on both routers this time
Ping is successfuly after statically mapping arps.

Chris

On Fri, Sep 10, 2010 at 7:14 AM, Adrian Brayton <abrayton_at_gmail.com> wrote:

> When it comes to VLAN access-maps, they should accomplish what you are
> trying to do when you apply them. Its when you make changes, you HAVE to
> remove and reapply them.
>
> Its default behavior.
>
>
> On Sep 10, 2010, at 1:57 AM, Chris Grammer wrote:
>
> > Thanks for the help!
> > And, I will let you know the results of the testing.
> >
> > Chris
> >
> > On Thu, Sep 9, 2010 at 11:57 PM, Garth Bryden <
> > hacked.the.planet.on.28.8k.dialup_at_gmail.com> wrote:
> >
> >> I agreee with Kubilay.
> >>
> >> MAC ACL's will only affect non-ip traffic :-)
> >>
> >> On Fri, Sep 10, 2010 at 12:45 PM, Kubilay Akgul <kubilayakgul_at_gmail.com
> >wrote:
> >>
> >>> Hi Chris,
> >>>
> >>> As far as I remember, MAC access-lists are only used to filter non-IP
> >>> traffic like ARP.
> >>> In your example, when you shut the interface, routers will clear their
> ARP
> >>> tables. And when you enable it again and try to create traffic, the MAC
> >>> access list will block all new ARP requests. So you thought that your
> ACL
> >>> worked after a shut/no-shut.
> >>> But, actually it only blocked the ARP packets. To test it, after shut
> and
> >>> no-shut, create manual ARP entries on routers. They probably start to
> >>> communicate again and you will see that your MAC filter is not working
> for
> >>> IP traffic. :)
> >>>
> >>> Another way of testing can be clearing ARP tables on routers without a
> >>> shut/no shut operation. Since MAC ACL will again block the ARP request,
> >>> your
> >>> ACL will again seem to be working (but just because it blocked arps).
> >>>
> >>> Please share your result to see if I am right.
> >>>
> >>> Thanks.
> >>>
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> Of
> >>> Chris Grammer
> >>> Sent: Thursday, September 09, 2010 14:50
> >>> To: Cisco certification
> >>> Subject: MAC Filter 3560
> >>>
> >>> I have run into an interesting issue.
> >>>
> >>> If I create a MAC filter such as:
> >>>
> >>> mac access-list extended BLOCK3
> >>> deny host 0012.d993.d5c2 any
> >>> permit any any
> >>>
> >>> I apply the access-list to the fa1/0/1 interface of the switch:
> >>>
> >>> interface FastEthernet1/0/1
> >>> switchport access vlan 40
> >>> switchport mode access
> >>> mac access-group BLOCK3 in
> >>>
> >>>
> >>> The problem is, the access list will not block the MAC address unless I
> >>> shut/no shut the interface.
> >>> If I apply the MAC access-list to a vlan access-map it exhibits the
> same
> >>> behavior.
> >>> If I apply an IP access list to the interface or access-map, the change
> is
> >>> immediate.
> >>>
> >>> Is this normal behavior for a layer 2 access-list on a switch?
> >>>
> >>> Thanks,
> >>>
> >>> Chris
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 10 2010 - 10:19:30 ART

This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART