Re: MAC Filter 3560 from Chris Grammer on 2010-09-10 (Ccielab archives 09/2010)

From: Chris Grammer <cgrammer_at_essilorusa.com>
Date: Fri, 10 Sep 2010 10:43:20 -0500

Correct.

But, after I built the the scenario describe in the above email, it is
apparent that a mac access-list will not block IPv4 traffic.
The technicality here is that ARP is not IPv4 traffic, which is why its
blocked.
Removing ARP from the scenerio with a static arp entry on the routers shows
that a mac-access list will not block IPv4 traffic.

It is also in the Doc CD

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/swacl.html#wp1289037
Creating Named MAC Extended ACLs

You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using
MAC addresses and named MAC extended ACLs. The procedure is similar to that
of configuring other extended named ACLs.

Chris

On Fri, Sep 10, 2010 at 10:37 AM, Adrian Brayton <abrayton_at_gmail.com> wrote:

> Wasn't your initial question as to why you had to shut / no shut an
> interface to get a mac ACL to work and was this normal behavior?
>
> I sorta disagree that a mac ACL doesn't work on IPv4 traffic (With all
> things being default)... In order to get to layer 3, you need to first get
> through layer 2 right?
>
>
> On Sep 10, 2010, at 11:19 AM, Chris Grammer wrote:
>
> > Here is the Test:
> >
> > R1 ---- SW1 ---- R2
> >
> > R1 on port f1/0/1
> > R2 on port f1/0/2
> >
> > SW1 Config:
> >
> > mac access-list extended BLOCK_F1/0/1
> > deny any any
> >
> > interface FastEthernet1/0/1
> > switchport access vlan 40
> > switchport mode access
> > mac access-group BLOCK_F1/0/1 in
> >
> > -----------------------------------------
> >
> >
> > The Ping between R1 and R2 were successful prior to applying the mac
> > access-list.
> > I applied the access-list and shut/no shut the interface.
> > Pings from R1 to R2 are failing.
> >
> > The arp table on R1 after the failed ping:
> > Internet 1.1.123.2 0 Incomplete ARPA
> >
> > Statically map the ARP on R1:
> > R1(config)#arp 1.1.123.2 000b.be6d.6f00 arpa
> >
> > R1#ping 1.1.123.2
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 1.1.123.2, timeout is 2 seconds:
> > !!!!!
> > Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
> > R1#
> >
> > So indeed, MAC-access list does NOT work on IPv4 traffic, except to block
> > the initial ARP.
> > Kubilay is correct.
> >
> >
> > I did the same test scenerio except I used a vlan access-map:
> >
> > mac access-list extended PERMIT_ALL_MACS
> > permit any any
> >
> > vlan access-map VLAN40_MAP 10
> > action drop
> > match mac address PERMIT_ALL_MACS
> > vlan access-map VLAN40_MAP 20
> > action forward
> >
> > vlan filter VLAN40_MAP vlan-list 40
> >
> > The result was the same.
> > Initially the ping will not work.
> > The arp table shows an incomplete arp.
> > Statically map the ARP...on both routers this time
> > Ping is successfuly after statically mapping arps.
> >
> >
> > Chris
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Fri, Sep 10, 2010 at 7:14 AM, Adrian Brayton <abrayton_at_gmail.com>
> wrote:
> >
> >> When it comes to VLAN access-maps, they should accomplish what you are
> >> trying to do when you apply them. Its when you make changes, you HAVE to
> >> remove and reapply them.
> >>
> >> Its default behavior.
> >>
> >>
> >> On Sep 10, 2010, at 1:57 AM, Chris Grammer wrote:
> >>
> >>> Thanks for the help!
> >>> And, I will let you know the results of the testing.
> >>>
> >>> Chris
> >>>
> >>> On Thu, Sep 9, 2010 at 11:57 PM, Garth Bryden <
> >>> hacked.the.planet.on.28.8k.dialup_at_gmail.com> wrote:
> >>>
> >>>> I agreee with Kubilay.
> >>>>
> >>>> MAC ACL's will only affect non-ip traffic :-)
> >>>>
> >>>> On Fri, Sep 10, 2010 at 12:45 PM, Kubilay Akgul <
> kubilayakgul_at_gmail.com
> >>> wrote:
> >>>>
> >>>>> Hi Chris,
> >>>>>
> >>>>> As far as I remember, MAC access-lists are only used to filter non-IP
> >>>>> traffic like ARP.
> >>>>> In your example, when you shut the interface, routers will clear
> their
> >> ARP
> >>>>> tables. And when you enable it again and try to create traffic, the
> MAC
> >>>>> access list will block all new ARP requests. So you thought that your
> >> ACL
> >>>>> worked after a shut/no-shut.
> >>>>> But, actually it only blocked the ARP packets. To test it, after shut
> >> and
> >>>>> no-shut, create manual ARP entries on routers. They probably start to
> >>>>> communicate again and you will see that your MAC filter is not
> working
> >> for
> >>>>> IP traffic. :)
> >>>>>
> >>>>> Another way of testing can be clearing ARP tables on routers without
> a
> >>>>> shut/no shut operation. Since MAC ACL will again block the ARP
> request,
> >>>>> your
> >>>>> ACL will again seem to be working (but just because it blocked arps).
> >>>>>
> >>>>> Please share your result to see if I am right.
> >>>>>
> >>>>> Thanks.
> >>>>>
> >>>>>
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> >> Of
> >>>>> Chris Grammer
> >>>>> Sent: Thursday, September 09, 2010 14:50
> >>>>> To: Cisco certification
> >>>>> Subject: MAC Filter 3560
> >>>>>
> >>>>> I have run into an interesting issue.
> >>>>>
> >>>>> If I create a MAC filter such as:
> >>>>>
> >>>>> mac access-list extended BLOCK3
> >>>>> deny host 0012.d993.d5c2 any
> >>>>> permit any any
> >>>>>
> >>>>> I apply the access-list to the fa1/0/1 interface of the switch:
> >>>>>
> >>>>> interface FastEthernet1/0/1
> >>>>> switchport access vlan 40
> >>>>> switchport mode access
> >>>>> mac access-group BLOCK3 in
> >>>>>
> >>>>>
> >>>>> The problem is, the access list will not block the MAC address unless
> I
> >>>>> shut/no shut the interface.
> >>>>> If I apply the MAC access-list to a vlan access-map it exhibits the
> >> same
> >>>>> behavior.
> >>>>> If I apply an IP access list to the interface or access-map, the
> change
> >> is
> >>>>> immediate.
> >>>>>
> >>>>> Is this normal behavior for a layer 2 access-list on a switch?
> >>>>>
> >>>>> Thanks,
> >>>>>
> >>>>> Chris
> >>>>>
> >>>>>
> >>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>
> >>>>>
> _______________________________________________________________________
> >>>>> Subscription information may be found at:
> >>>>> http://www.groupstudy.com/list/CCIELab.html
> >>>>>
> >>>>>
> >>>>> Blogs and organic groups at http://www.ccie.net
> >>>>>
> >>>>>
> _______________________________________________________________________
> >>>>> Subscription information may be found at:
> >>>>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 10 2010 - 10:43:20 ART

This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART